SAS Teleconference

Similar documents
CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

Auditing Standards and Practices Council

THE AUDITOR S RESPONSES TO ASSESSED RISKS SRI LANKA AUDITING STANDARD 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS

Community Bankers Conference

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Chapter 02. Professional Standards. Multiple Choice Questions. 1. Control risk is

The Auditor s Responses to Assessed Risks

Auditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards

AUDIT RESPONSIBILITIES AND OBJECTIVES

Chapter 18. Integrated Audits of Public Companies. McGraw-Hill/Irwin. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Report on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Mapping of Original ISA 315 to New ISA 315 s Standards and Application Material (AM) Agenda Item 2-C

STANDING ADVISORY GROUP MEETING

Audit Practice Introduced by HKSA (HKSA 300, 315 and 330) 10 July 2008

Audit Practice Introduced by HKSA (HKSA 315 and 330) 1 February 2008

Report on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board

Report on Inspection of KPMG Auditores Consultores Ltda. (Headquartered in Santiago, Republic of Chile)

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

1. Auditors may be independent in fact but not independent in appearance. 3. Attestation standards provide guidance for a wide variety of engagements

IAASB Main Agenda (September 2004) Page Agenda Item PROPOSED REVISED INTERNATIONAL STANDARD ON AUDITING 540

Audit Workshop Part 2 12 December 2009

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

Auditing and Assurance Standards Council

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

WATCH WORDS FROM THE PEER REVIEW PROCESS

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

Accounting 408 Exam 2, Chapters 3, 4, 5, 6, E, F

Auditors Moving from Guidance to Requirements: Arriving at the Risk Assessment Standards

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Nonprofit Organizations

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

SRI LANKA AUDITING STANDARD 315 (REVISED)

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Evaluating Internal Controls

[RELEASE NOS ; ; FR-77; File No. S ]

INTERNATIONAL STANDARD ON AUDITING 500 AUDIT EVIDENCE CONTENTS

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

FREQUENTLY ASKED QUESTIONS ABOUT INTERNAL CONTROL OVER FINANCIAL REPORTING

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Auditing Standards and Practices Council

STATEMENT OF AUDITING STANDARDS 500 AUDIT EVIDENCE

IAASB Main Agenda (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

Audit Risk. Exposure Draft. IFAC International Auditing and Assurance Standards Board. October Response Due Date March 31, 2003

VERSION #1 WRITE ON YOUR SCANTRON!!!

IAASB CAG Public Session (March 2018) CONFORMING AND CONSEQUENTIAL AMENDMENTS ARISING FROM DRAFT PROPOSED ISA 540 (REVISED) 1

International Standard on Auditing (Ireland) 315

Planning an Audit 259

Report on Inspection of PricewaterhouseCoopers Audit (Headquartered in Neuilly-Sur-Seine, French Republic)

covered member immediate family impaired not a covered member close relative not impaired

IAASB Main Agenda (March 2005) Page Agenda Item 12-C

Statements. This Standard is effective for reviews of financial statements for periods ending on or after 31 December 2013.

Auditing and Attestation (AUD) - Content Outline Effective January 2014

2016 INSPECTION OF BHARAT PARIKH & ASSOCIATES CHARTERED ACCOUNTANTS. Preface

REGISTERED CANDIDATE AUDITOR (RCA) TECHNICAL COMPETENCE REQUIREMENTS

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

What Companies Need to Do

Audit Evidence. ISA 500 Issued December International Standard on Auditing

The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements

Auditing Standard 16

International Standard on Auditing (UK) 315 (Revised June 2016)

How well you are prepared to deal with IFC

Audit Evidence. SSA 500, Audit Evidence superseded the SSA of the same title in September 2009.

Chapter 8. Planning and Testing Operating Effectiveness of Internal Control over Financial Reporting. Prepared by Richard J.

Report on Inspection of KPMG Cardenas Dosal, S.C. (Headquartered in Mexico City, United Mexican States)

Report on Inspection of K. R. Margetson Ltd. (Headquartered in Vancouver, Canada) Public Company Accounting Oversight Board

STAFF QUESTIONS AND ANSWERS

IAASB Main Agenda (December 2008) Page Agenda Item

1. A series of business and related auditing failures led to the passage of the Sarbanes-Oxley Act (2002).

2. The auditors' report on a corporation's financial statements usually is addressed to the president of the company.

Audit & Assurance Update January 16, In This Issue. Background. Background. Key Provisions of the Estimates Standard

VERSION #1 PLEASE WRITE ON YOUR SCANTRON

Planning and Supervision

Special Audit Techniques. CA Final Paper 3: Advanced Auditing & Professional Ethics Chapter 5 CA Arijit Chakraborty

Speech by SEC Staff: Remarks before the 2007 AICPA National Conference on Current SEC and PCAOB Developments

IAASB CAG Public Session (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

International Standard on Auditing (Ireland) 300. Planning an Audit of Financial Statements

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

International Standard on Auditing (Ireland) 500 Audit Evidence

Report on. Issued by the. Public Company Accounting Oversight Board. June 16, 2016 THIS IS A PUBLIC VERSION OF A PCAOB INSPECTION REPORT

INTERNATIONAL STANDARD ON AUDITING (NEW ZEALAND) 315 (Revised)

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a AUDITING THEORY AUDIT PLANNING

Implementation Tool for Auditors

US U.S. AAM vs. DTTL AAM A Refresher Deloitte Touche Tohmatsu

Institute of Chartered Accountants of India. Standards on Auditing

INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS

AT Assertions, Audit Procedures and Audit Evidence Red Sirug Page 1

Report on Inspection of Crowe Horwath LLP (Headquartered in Chicago, Illinois) Public Company Accounting Oversight Board

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest PCAOB Audits Chapter 1 Overview 100 Background

An Overview of the 2013 COSO Framework. August 2013

Audit Evidence This section is effective for audits of financial statements for periods ending on or after December 15, 2012.

6 Assessment of risk Introduction General risk assessment Specific risk assessment Reliability factors 50 6.

IAASB Main Agenda (March 2019) Agenda Item

Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of Internal Auditors

COSO 2013: Updated internal control framework

PLANNING AN AUDIT OF FINANCIAL STATEMENTS

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

THE AUDITOR S RESPONSIBILITIES AND FUNCTIONS, INTRODUCTION TO GAAS, AND THE GENERAL STANDARDS (INCLUDING THE QUALITY CONTROL STANDARDS)

Transcription:

SAS 104-111 Teleconference Jan. 15, 2009 Craig Funkhouser, Crowe Horwath LLP craig.funkhouser@crowehorwath.com Ken Goldmann, J.H. Cohn kgoldmann@jhcohn.com 1

Today s Program Historical Background, Review Of Key Terms Of SAS 104-111: Craig Funkhouser, Slides 3 Through 31 Lessons For Companies: Ken Goldmann, Slides 32 Through 51 Early Experiences From Implementation Of SAS 104-111: Craig Funkhouser, Slides 52 Through 72 A Look Forward: Craig Funkhouser And Ken Goldmann, Slides 73 Through 83 2

Historical Background, Review Of Key Terms Of SAS 104-111 3

How Did We Get Here? Bad publicity beginning with Enron: 2001 Congress passes the Sarbanes-Oxley Act of 2002 AICPA issues SAS No. 99, Consideration of Fraud in a Financial Statement Audit, effective in 2003 PCAOB issues Audit Standard No. 2, Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, in 2004 AICPA issues SAS No. 103, December 2005 AICPA issues SAS Nos. 104 through 111, March 2006 AICPA issues SAS No. 112, May 2006 AICPA issues SAS No. 114, December 2006 PCAOB issues Audit Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, 2007 4

AICPA Risk Assessment Standards Eight new auditing standards Enhance auditor performance Improve audit effectiveness Encourage auditors to focus on areas where the risk of misstatement is the greatest Effective for audits of financial statements for periods beginning on or after Dec. 15, 2006 SAS 103 and SAS 112 were effective for periods ending on or after Dec. 15, 2006 and are NOT considered part of the risk assessment standards SAS 114 The auditor s communication with those charged with governance is effective for periods beginning on or after Dec. 15, 2006 and is NOT considered part of the risk assessment standards 5

SAS Nos. 103, 112 And 114 SAS No. 103, Audit Documentation Effective for periods ending after Dec. 15, 2006 Changes documentation standards, supersedes SAS No. 96 Changes how auditors date their audit reports SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit Effective for periods ending after Dec. 15, 2006 Changes the classification of control deficiencies Changes how auditors assess severity of deficiencies Changes communication requirements SAS No. 114, The Auditor s Communication with Those Charged with Governance Effective for periods beginning after Dec. 15, 2006 Changes required communications, supersedes SAS No. 61 Not only for companies who maintain an audit committee 6

Overview Of Risk Assessment Standards Statement on Auditing Standards (SAS) No. 104 Amendment to SAS No. 1, Codification of Auditing Standards and Procedures SAS No. 105 Amendment to SAS No. 95, Generally Accepted Auditing Standards SAS No. 106 Audit Evidence SAS No. 107 Audit Risk and Materiality in Conducting an Audit SAS No. 108 Planning and Supervision SAS No. 109 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS No. 110 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS No. 111 Amendment to SAS No. 39, Audit Sampling 7

Overview Of Risk Assessment Standards (Cont.) These statements establish standards and provide guidance concerning: The auditor s assessment of the risks of material management (whether caused by error or fraud) in a financial statement audit The design and performance of audit procedures whose nature, timing and extent are responsive to the assessed risks 8

Overview Of Risk Assessment Standards (Cont.) The statements also establish standards and provide guidance on: Planning and supervision The nature of audit evidence, and Evaluating whether the audit evidence obtained affords a reasonable basis for an opinion regarding the financial statements under audit 9

Overview Of Risk Assessment Standards (Cont.) The primary objective is to enhance auditors application of the audit risk model in practice by specifying, among other things: More in-depth understanding of the entity and its environment, including its internal controls, to identify the risks of material misstatement in the financial statements and what the entity is doing to mitigate them More rigorous assessment of the risks of material misstatement of the financial statements, based on that understanding Improved linkage between the assessed risks and the nature, timing and extent of audit procedures performed in response to those risks 10

Risk Assessment Provisions The major risk assessment provisions are designed to: Expand the quality and depth of the auditor s required understanding of the entity and its environment, including its internal controls Require the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtained Eliminate the default to maximum for control risk, which should encourage testing of controls 11

Risk Assessment Provisions (Cont.) The major risk assessment provisions are designed to: Emphasize the importance of the entity s risk assessment process Strengthen the linkage between assessed risks and the auditor s response to those risks Clarify the auditor s ability to rely on audit evidence gathered in prior audits Strengthen guidance for testing disclosures Clarify and expand guidance on evaluating audit findings, and Expand documentation requirements 12

SAS No. 104 Expands the definition of reasonable assurance to a high, but not absolute, level of assurance Requires the auditor to plan and perform the audit to limit audit risk to a low level 13

SAS No. 105 Expands the scope of the understanding that the auditor must obtain in the second standard of field work from internal control to the entity and its environment, including its internal control The quality and depth of the understanding to be obtained is emphasized by amending its purpose from planning the audit to assessing the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures Use of generic or standard audit programs is not appropriate, since risk varies among entities being audited 14

SAS No. 106 Introduces the concept of risk assessment procedures Identifies risk assessment procedures Inquiries of management and others in the entity Analytical procedures Observation, inspection and other audit evidence Clearly states that inquiry alone is not sufficient in evaluating the design of an internal control and to determine whether it has been implemented Recategorizes assertions by classes of transactions and events, account balances, and presentation and disclosure; and describes how the auditor uses relevant assertions to assess risk and design audit procedures 15

Financial Statement Assertions SAS 106 identifies 13 assertions rather than five. The assertions are as follows: Assertions per SAS 106, paragraph. 15 Transactions Occurrence Completeness Accuracy Cutoff Classification Acct Balances Existence Rights & Obligations Completeness Valuation & Allocation Presentation Occurrence & Rights & Obligations Completeness Classification & Understandability Accuracy & Valuation No. Of Assertions 13 16

SAS No. 107 SAS No. 107 states that the auditor must consider audit risk and must determine a materiality level for the financial statements taken as a whole The determination of materiality takes into account how users with the following characteristics could reasonably be expected to be influenced in making economic decisions. Users are assumed to: Have an appropriate business knowledge and a willingness to study the financial statements Understand that financial statements are prepared and audited to levels of materiality Recognize the uncertainties inherent (estimates, judgments, consideration of future events) Make appropriate economic decisions on the basis of information in the financial statements 17

SAS No. 107 (Cont.) Audit risk consists of: The risk of material misstatement (consisting of inherent risk and control risk) that the relevant assertions related to balances, classes or disclosures contain misstatements (whether caused by error or fraud) that could be material to the financial statements, when aggregated with misstatements in other relevant assertions related to balances, classes, or disclosures The risk (detection risk) that the auditor will not detect such misstatements 18

SAS No. 107 (Cont.) Tolerable misstatement is the maximum error in a population that the auditor is willing to accept When assessing the risks of material misstatements and designing and performing further audit procedures to respond to the assessed risks, the auditor should allow for the possibility that some misstatements of lesser amounts than the materiality levels could, in the aggregate, result in a material misstatement of the financial statements. To do so, the auditor should determine one or more levels of tolerable misstatement. Such levels of tolerable misstatement are normally lower than the materiality levels 19

SAS No. 107 (Cont.) The auditor must accumulate all known and likely misstatements identified during the audit, other than those that the auditor believes are trivial, and communicate them to the appropriate level of management (SAS No. 107) The auditor should request management to record adjustments needed to correct all known misstatements When the misstatements are considered likely, the auditor should request that management examine the situation in order to identify and correct misstatements therein 20

SAS No. 108 SAS No. 108 provides guidance on: Appointment of the independent auditor Establishing an understanding with the client (should be written) Preliminary engagement activities The overall audit strategy (formerly audit approach ) The audit plan (formerly audit program ) Determining the extent of involvement of professionals possessing specialized skills Using a professional possessing information technology (IT) skills to understand the effect of IT on the audit Additional considerations in initial audit engagement; Supervision of assistants 21

SAS No. 109 SAS No. 109 establishes requirements and provides guidance about implementing the second standard of fieldwork, as follows: The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures The auditor should assess the risk of material misstatement at both the financial statement and relevant assertion levels Under the previous standard, the primary purpose of gaining an understanding of internal control was to plan the audit 22

SAS No. 109 (Cont.) SAS No. 109 states that the audit team should discuss the susceptibility of the entity s financial statements to material misstatement Previous standards did not require a brainstorming session to discuss the risk of material misstatements This discussion can be held concurrently with the SAS No. 99 fraud brainstorming session, and SAS 109 requires that this discussion among the audit team members be appropriately documented 23

SAS No. 110 SAS No. 110 provides guidance on determining overall responses, and designing and performing further audit procedures, to respond to assessed risks of material misstatements at the financial statement and relevant assertion levels. The auditor s overall responses to address the assessed risks of material misstatement at the financial statement level may include: Emphasizing professional skepticism in gathering and evaluating audit evidence Assigning more experienced personnel or those with specialized skills Providing more supervision Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed, and Making general changes to the nature, timing or extent of further audit procedures 24

SAS No. 110 (Cont.) In designing further audit procedures, the auditor should consider such matters as: The significance of the risk The likelihood that a material misstatement will occur The characteristics of the class of transactions, account balance or disclosure involved The nature of the specific controls used by the entity in particular, whether they are manual or automated Whether the auditor expects to obtain audit evidence to determine if the entity s controls are effective in preventing or detecting material misstatements 25

SAS No. 110 (Cont.) The auditor should perform tests of controls when: The auditor s risk assessment includes an expectation of the operating effectiveness of controls; or Substantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion level When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor should determine what additional audit evidence should be obtained for the remaining period If the auditor plans to rely on the operating effectiveness of controls intended to mitigate a significant risk, the auditor should obtain audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period 26

SAS No. 110 (Cont.) SAS No. 110 states that the auditor should perform certain substantive procedures for all engagements. These procedures include: Performing substantive tests for all relevant assertions related to each material class of transactions, account balances and disclosures, regardless of the assessment of the risk of material misstatement Agreeing the financial statements, including their accompanying notes, to the underlying accounting records Examining material journal entries and other adjustments made during the course of preparing the financial statements 27

SAS No. 111 SAS No. 111 provides guidance relating to the auditor s judgment about establishing tolerable misstatement for a specific audit procedure and on the application of sampling to tests of controls. This statement amends SAS No. 39, Audit Sampling, to state the following: When planning a sample for a test of details, the auditor should determine the tolerable misstatement for the sample Tolerable misstatement is the maximum error in a population (for example, the class of transactions or account balance) that the auditor is willing to accept. This term may be referred to as tolerable error in other standards 28

SAS No. 111 (Cont.) An auditor who applies statistical sampling uses tables or formulas to compute sample size based on these judgments An auditor who applies non-statistical sampling uses professional judgment to relate these factors in determining the appropriate sample size. Ordinarily, this would result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters 29

SAS No. 111 (Cont.) To determine the number of items to be selected in a sample for a particular test of details, the auditor should consider: Tolerable misstatement Expected misstatement Audit risk Characteristics of the population Assessed risk of material misstatement (inherent risk and control risk) Assessed risk for other substantive procedures related to the same assertion 30

Conclusions How will these standards impact me? Public accountants: Revisions to audit approach Increased focus on assessing risks Increased procedures relative to internal controls Documentation Private accountants Opportunity to reduce costs by: Preparation of comprehensive documentation of policies and procedures Identification of key internal controls Identification of risk exposure Preparation of the financial statements and related disclosures Increased focus on good corporate governance Higher-quality financial reporting Business process improvements 31

Lessons For Companies 32

Lessons For Companies Recent events in the financial markets raise many questions Do companies understand the risk assessment processes? Do people really understand what risks their company faces? How are you dealing with the risk of fraudulent financial reporting? SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Are we so concerned with material misstatement in the financial statements that we ve lost sight of business risk? 33

What Should Companies Be Doing? Answer the following questions: How is risk defined at your company (or, is defined)? How effective is your governance process over risk? What risks exist today? What processes exist to analyze your risk? What processes exist to quantify your risk? What processes exist to be sure all business units understand your risk profile? What is being done to mitigate your risks? What keeps you up at night? 34

The Audit Risk Model Audit risk (AR) = Inherent risk (IR) X control risk (CR) X detection risk (DR) AR = IR X CR X DR Components of audit risk Inherent risk Risk existing in balances or transactions (Complexity, judgment, theft, obsolescence) Control risk Risk that ICFR isn t effective Detection risk Risk that error will not be found 35

Internal Audit Engagement Approach 36

Phase 1: Scoping And Understanding Business Objectives Obtain a clear and comprehensive understanding of your: Environment Organization culture Objectives The operating model in which the internal control structure must operate and be effective to mitigate enterprise risk How is this accomplished? By interviews with key management personnel Review of any previous risk assessments Audit plans, strategic plans, marketing plans, financial budgets, management representation letters and IT plans 37

Phase 2: Risk Assessment Develop an assessment of risks: business, financial, operational, compliance, as well as any others that are pertinent given the organizational objectives Focus is on the areas of high risk and areas that are important to management in the achievement of its business objectives To the extent available, use your internal audit function, as it is an integral part of keeping management informed of opportunities for efficiencies and improvements in an organization s internal control structure 38

Phase 3: Develop Audit Plan Once the risk assessment is complete, develop and prepare a document that identifies the potential audit universe This document will identify each audit area, along with an assigned risk rating and recommended audit cycle Develop a current-year audit schedule Ensure that the plan will meet your goals and objectives 39

Phase 4: Execute Audit Plan Begin each audit with a pre-audit meeting Once scope has been set and communicated, develop and execute the test plans Include detailed testing Interviewing Process-mapping Document review Observation Throughout this phase, your team should continuously communicate with management as to progress, potential issues and needs 40

Phase 5: Reporting And Monitoring During the course of any audit, issues will surely arise. These should be reported in three ways 1. Continuously communicate with management as your teams progress through each audit 2. Prepare a summary document that reflects all of the issues noted during the course of the audit 3. Draft a formal audit report that reflects all previously discussed issues, recommendations and management s agreed-to action plans 41

New SEC Guidance Released in conjunction with proposed Auditing Standard No. 5 (AS-5) Key points in release: Top-down, risk based approach Entity-level, anti-fraud and compensating controls become more important Evaluation of controls based on identification and assessment of risk Subsequent years effort will be reduced (focus only on changes in risk) IT general controls necessary to address financial reporting risks Evidence (amount of testing) based on risk assessment 42

Road Map For Compliance Planning/ Scoping Phase Documentation Phase Testing Phase Develop Project Plan & Scoping Document/Update the As Is Process & Controls Develop/Update RCMs & Test Scripts (Identification of Key Controls) Key Control Testing Enterprise Risk Assessment Fraud Assessment Project scope Project Plan Design Gaps Operating Effectiveness Gaps Remediation Operating Effectiveness Gaps Remediation will require re-testing of the control after the fix is implemented. It may involve documentation update as well 43

Some Key Factors To Consider Typical areas of concern Non-routine transactions Estimates IT general and application-level controls Depth of testing to substantiate effectiveness of control Judgment on severity of identified weakness Effective PMO Timely remediation of gaps 44

Achieving Effective ICFR The COSO Framework Control environment Risk Assessment Control activities Information and communication Monitoring 45

Control Environment Integrity and ethical values Board of directors Management s philosophy and operating style Organizational structure Financial reporting competencies Authority and responsibility Human resources 46

Risk Assessment Financial reporting objectives Financial reporting risks Fraud risk 47

Control Activities Integration with risk assessment Selection and development of control activities Policies and procedures Information technology 48

Information And Communication Financial reporting information Internal control information Internal communication External communication 49

Monitoring Ongoing and separate evaluations Reporting deficiencies 50

Management To-Dos What could go wrong? Focus on risks that are significant and likely Know the objectives of internal controls Provide effectiveness and efficiency of operations Ensure reliable financial reporting Comply with laws and regulations 51

Early Experiences From Implementation Of SAS 104-111 52

Implementation Summer 2006 through Fall 2007 Extensive training for auditors Over-communication with clients Awareness: Informing clients of changes in audit standards Increased time required to complete the audit Increased fees Overall impact on the audit Comprehensive revisions to audit methodology 53

Before The Risk Standards SAS 112, Communication of Control Deficiencies Redefined material weaknesses, significant deficiencies and deficiencies, while eliminating the term reportable condition Enhanced required communications (need to repeat SD and MW) Required auditors to inform the clients whether the identified control deficiencies are significant deficiencies or material weaknesses Huge impact when combined with new risk-based standards 54

SAS 112 Letters Change in terminology Classification of comments Material weakness A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by the entity s internal controls 55

SAS 112 Letters (Cont.) Change in terminology Classification of comments Significant deficiency A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity s ability to initiate, authorize, record, process or report financial data reliably in accordance with generally accepted accounting principles, such that there is more than a remote likelihood that a misstatement of the entity s financial statements that is more than inconsequential will not be prevented or detected by the entity s internal control 56

SAS 112 Letters (Cont.) Change in terminology Classification of comments Deficiency A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis Best practice A matter which you may find of interest not related to a control matter (in theory, these comments should address how management can improve their operations and are viewed as valueadded comments) 57

SAS 112 Letters (Cont.) Deficiency communication What is the control issue, what is the risk, what is the recommendation? Testing LIFO Unit Counts Significant Deficiency Observation: During our testing of the LIFO reserve, we noted several instances where the same item in multiple inventory locations had a different LIFO unit cost. Most differences in LIFO unit costs had immaterial impacts on the LIFO reserve calculation, and correspondingly, net income. One instance resulted in the misstatement of net income from 2002-2007 by approximately $580,000. However, the cumulative impact over time was only $60,000. Management has not compared LIFO costs between locations to ensure that the same base year cost is being utilized. Business Risk: The business risk associated with this deficiency is that the LIFO reserve may not be fairly stated and, as noted above, income may be misstated. Recommendation: We recommend that management implements control procedures as part of its monthly closing process to check for similar instances so that any errors are identified and resolved timely. Management s Response: Management will look into implementing procedures during the next fiscal year to improve the LIFO costing process and verify no errors exist. (Implemented prescribed formats for management comment letters) 58

SAS 104-111 Early Experiences Changes In Audits Materiality levels have changed (usually lower) Confirmation testing has increased More receivable confirmations, for example More extensive understanding of internal controls Observing, reviewing, corroborating supporting evidence Additional time spent with client personnel More extensive understanding of IT controls Observing, reviewing, corroborating supporting evidence Time spent understanding the interplay with manual controls Enhanced IT control testing 59

SAS 104-111 Early Experiences Changes In Audits (Cont.) More extensive testing of internal controls Manual and computer controls More linkage of reliance on controls to other substantive testing Understand entity level controls risk impact linkage Conveyance of SAS 104-111 to foreign auditors, for them to comply with U. S. GAAS requirements 60

SAS 104-111 Early Experiences Client Matters Our auditors are requesting more information regarding: Internal controls computer and manual Various procedures corroborating Client policies not always written This information must be supported by written internal documentation Must be maintained by the client Should not simply be the internal control questionnaires or forms maintained by the outside auditor 61

SAS 104-111 Early Experiences Client Matters (Cont.) More formal documentation is required of our clients Journal entries documentation of who prepared and who reviewed Account reconciliations documentation of who prepared and who reviewed Monthly results formal documentation of the review of actual results to budgeted results and same month/prior year results Some clients feel that the playing field has changed, while other clients embrace the enhanced audit standards 62

SAS 104-111 Early Experiences Auditor Issues/Comments The risk assessment standards had little effect on the design of certain audit procedures Auditors are still spending time on areas where risk of misstatement is not great Example of long-term debt Client performs, reviews and documents the reconciliation process, from lender statements to the general ledger Audit team still sends confirmations, tests interest reasonableness and performs other non-value added audit procedures 63

SAS 104-111 Early Experiences Auditor Issues/Comments (Cont.) The risk assessment standards drive deficiency communication even without audit adjustments Client did not document any of their controls, and controls could not be corroborated by the auditors Client got the answer right in the end; standards indicate the need to communicate deficiencies even without an audit adjustment Lesson per the standard: It is not appropriate to be lucky vs. good when it involves controls 64

SAS 104-111 Early Experiences Auditor Issues/Comments (Cont.) Corroboration > inquiry In the past, we would inquire as to who had wire transfer authority Now, we would ask to see an official list provided to, or confirmed by, the bank Many times, we find terminated employees on that list, which we would not have seen if we depended on inquiry 65

SAS 104-111 Early Experiences Awkward Situations With Clients Prior audits The auditors proposed/prepared journal entries representing proposed corrections of accounting records Prior to risk assessment standards, maybe no management comments addressed this issue This year, audit team issued a material weakness regarding accounting and reporting relating to the proposed corrections of the accounting records Corrections are usually an indicator that controls were not functioning correctly or do not exist to keep accounting information correct 66

SAS 104-111 Early Experiences Awkward Situations With Clients (Cont.) Hesitation to provide completed trial balances or schedules Clients do not want any deficiencies (or significant deficiencies or material weaknesses) Clients then hold back providing schedules or intentionally omit certain line items (e.g., income taxes) Ultimate result is a debate as to who identified the need for an adjusting entry 67

SAS 104-111 Early Experiences Awkward Situations with Clients (Cont.) Complex accounting issues Hedge accounting FAS No. 133 Clients not taking responsibility to comply with standard Clients ultimately rely on outside auditors Sometimes judgmental issues Extra time spent debating classification of comments Clients want best practices Control observations are deficiencies Must repeat observations or make reference to prior observations if still present added communication 68

SAS 104-111 Early Experiences Awkward Situations with Clients (Cont.) Owner-managed businesses Little or no documentation of entity-level controls No formal meetings among ownership, management, others No corporate governing committee Resulting in no formal documentation of: Review of financial statements Approval of significant, unusual transactions Changes to employment policies Clients ask: What is the value of documenting these processes? 69

SAS 104-111 Early Experiences Client Interactions Instances where all risk assessments were completed well in advance of year-end We met with management and those charged with governance to discuss the significant deficiencies Management adopted all recommendations and made changes in their control system (policies/procedures) prior to year-end and corrected past information, if necessary We considered this similar to remediation under AS-5, Public Company Audit Requirement No control-related deficiencies in their SAS 112 letter 70

SAS 104-111 Early Experiences - Conclusions This is not a blame game How can auditors help you? The recommendation is the key More communications with your auditors Anything that will drive more communication with your auditors will be good for you... unless you have something to hide Inherent risk CFOs cannot control inherent risk (e.g., economic times, gas at $4.25 per gallon) Must think about controls in place to deter those employees who may be tempted to steal inventory, use manual checks for personal use, etc. 71

SAS 104-111 Early Experiences Conclusion (Cont.) Win for the client More information about their control systems More communication with auditors about risks Win for the auditors More communication with clients Better understanding about control systems Win for the public trust Better financial information Improved interim financial reporting due to enhanced controls 72

A Look Forward 73

Looking Forward After SAS 104-111 SAS No. 115 PCAPB proposal of seven new auditing standards 74

Statement On Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters in an Audit Supersedes SAS No. 112 Revisions to definitions to align with AS-5 Implications for government audits Management letter change 75

Material Weakness A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility 1 that a material misstatement of the entity s financial statements will not be prevented or detected and corrected 1 FAS No. 5 Remote, Reasonably Possible and Probable 76

Significant Deficiency A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance 77

Implications For Government Audits Not Yet Adopted Government Auditing Standards Circular A-133 Other similar federal regulations Audit guides Do not implement early SAS No. 115 under these standards! 78

Management Letter Changes Auditor s consideration of internal control was not designed to identify all deficiencies in internal control that might be significant deficiencies or material weaknesses and therefore, there can be no assurance that all deficiencies, significant deficiencies or material weaknesses have been identified 79

Communication Content Best made by report release date No later than 60 days following release date Include statement indicating consideration of internal controls not designed to identify all SD or MW Effective Date Periods ending on or after Dec. 15, 2009 Earlier implementation is permitted, except as previously noted 80

PCAOB Proposal Of Seven New Standards Proposed Oct. 21, 2008 120-day comment period expires Feb. 18, 2009 Replaces existing Interim PCAOB Standards All proposed standards deal with audit risk 81

PCAOB Proposal Of Seven New Standards (Cont.) The proposed new standards are: Audit Risk in an Audit of Financial Statements Audit Planning and Supervision Identifying and Assessing Risks of Material Misstatement The Auditor s Responses to the Risks of Material Misstatements Evaluating Audit Results Consideration of Materiality in Planning and Performing an Audit Audit Evidence 82

PCAOB Proposal Of Seven New Standards (Cont.) Improvements to audits of public companies The PCAOB has stated that the proposed standards: Would update the existing requirements to take account of the improved risk-based audit methodologies currently in use by some auditors Should enhance integration of the audit of the financial statements with the audit of internal control over financial reporting, resulting in more effective audits Would integrate the auditor s current responsibilities for considering fraud during the audit Would serve as an improved foundation for future standard-setting Reflect the Board s effort to reduce unnecessary differences with the risk assessment standards of other auditing standard-setters 83

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback