SAS Update

GFOA Western Pa – January 2008

Presented byRob Lent, CPA, CGFM

Sources

AICPA Auditor’s Risk Assessment Process: Tackling the New Rick Assessment SASs

GAO presentation to the AICPA Governmental Audit Quality Center July 11, 2006

Pennsylvania CPA Journal, Winter 2007

Suite of 8, The Risk Assessment StandardsSAS 104, Amendment to SAS 1, Codification of Auditing Standards and

ProceduresSAS 105, Amendment to SAS 95, Generally Accepted Auditing

StandardsSAS 106, Audit EvidenceSAS 107, Audit Risk and Materiality in Conducting an Audit (Audit

Risk and Materiality)SAS 108, Planning and SupervisionSAS 109, Understanding the Entity and its Environment and Assessing

the Risks of Material MisstatementSAS 110, Performing Audit Procedures in Response to Assessed Risks

and Evaluating the Audit Evidence ObtainedSAS 111, Amendment to SAS 39, Audit Sampling

Audit Risk

Inherent RiskControl RiskDetection Risk

General Effects of The Risk Assessment SAS

Expand the quality and depth of the auditor’s required understanding of the entity and its environment, including internal control.

Requires the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtained.

General Effects of The Risk Assessment SASEliminates the “default to maximum” for control risk,

which should encourage testing of controls.Emphasizes importance of the entity’s risk assessment

process.Strengthens the linkage between assessed risks and the

auditor’s responses to those risks.Clarifies the auditor’s ability to rely on audit evidence

gathered in prior audits.Strengthens guidance for testing disclosures.

General Effects of The Risk Assessment SASClarifies and expands guidance on evaluating

audit findings.Expands documentation requirements

Results of the risk assessments at both the financial statement level and the assertion level.

The nature timing and extent of audit procedures performed.

The linkage of auditor responses with the assessed risks at the assertion lever; and

Results of audit procedures.

Key Areas

• Level of Audit Assurance• Planning and Supervision• Understanding Internal Controls• Audit Risk and Materiality• Understanding the Entity• Performing Audit Procedures• Audit Sampling• Audit Evidence and Evaluation

Level of Audit Assurance

Clarifies the meaning of reasonable assurance. “the auditor must plan and perform the audit to

obtain sufficient appropriate audit evidence so that risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements”

• Absolute assurance is not attainable. • High level of assurance

Audit Planning

Gain an understanding of the client and their environment.Performing preliminary analytical review procedures.Estimating planning materiality and tolerable misstatement.Identifying significant accounts.Conducting a fraud specific team meeting.Assessing the risk of material misstatement arising from

fraud or error at the entity level.Agreeing on timing and deliverables.Developing an overall audit strategy.

Planning and Supervision

More partner level involvementPlanning occurs through the auditDevelopment of an audit strategy• Broad approach to how the audit will be

conductedDevelopment of an audit plan• Describes in detail the nature, timing and

extent of risk assessment and further audit procedures in response to risk assessment

Should obtain a written understanding

Audit Risk and Materiality

Audit risk and materiality are used to identify and assess the risk of material misstatement

Eliminates the ability of the auditor to assess control risk “at the maximum” without having a basis for that assessment

Materiality should consider both qualitative and quantitative characteristics

Understanding the Entity

Must obtain a sufficient understanding of the entity and its environment, including internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing and extent of further audit procedures

Understanding the Entity

Risk Assessment ProceduresUnderstanding the Entity and its Environment,

Including Internal ControlAssessing Rick of Material MisstatementDocumentation

Risk Assessment Procedures

• Inquiries of management and others within the entity.

• Analytical procedures.• Observation and inspection.

Inquiry alone is not sufficient to evaluate the design of internal control and to determine whether it has been implemented.

Risk Assessment Procedures

Analytical Procedures• Must be established expectationsObservation and Inspection• Review of contracts• Observation at the entity• Transaction walk-throughs

Risk Assessment Procedures

Determine whether changes have occurred that may affect the relevance of information about the entity and its environment that was obtained in prior periods if the auditor intends to use such information in the current audit.

Risk Assessment Procedures

Initiate a discussion among the members of the engagement team about the susceptibility of the entity to material misstatements of the financial statements.

Understanding the Entity and its Environment, Including Internal Control

Obtain an understanding of the entity and its environment, including internal control. Industry, regulatory and other external factors. Nature of the entity, including the entity’s application of

accounting policies. Objectives and strategies and the related business risks,

including the entity’s risk assessment process. Measurement and review of the entity’s financial

performance.

Understanding the Entity and its Environment, Including Internal ControlControl environment.The entity’s risk assessment process.The information system and related business

processes relevant to financial reporting, and communication.

Control activities.Monitoring of controls.

The Control Environment

Tone of an organization. Integrity and Ethical Values. Competency. Governance.

Experience and knowledge. Stature within the entity and business community. Genuine interest in internal control. Independence of management. Active interaction with the external auditors.

The Control Environment

Tone of an organization. Philosophy and Operating Style. Authority and Responsibility. Human Resources.

Risk Assessment Process

The entity’s identification and analysis of relevant risks to the achievement of its objectives.

Each will have its own unique risks.External and internal factors.

New accounting systems. New personnel or employee turnover. New accounting standards. A significant and/or unusual transaction or event.

Risk Assessment Process

Reliance by an entity on its external auditor for this risk assessment is indicative of a material weakness and causes the auditor to evaluate audit risk as high.

Information and Communication Systems

Support the identification, capture and exchange of information in a form and time frame that enable employees to carry out their responsibilities.

Control Activities

Policies and procedures that help ensure that management directives are carried out.

The entity’s response to either preventing errors from occurring or detecting and correcting them if they do occur.

Monitoring

Process that assesses the quality of internal control performance over time.

Assessing the Risk of Material MisstatementAssess the risks of material misstatements at the financial

statement level and at the assertion level for classes of transactions, account balances and disclosures. Identifies risks by considering the entity and its

environment, including relevant controls that relate to the risks.

Relates the identified risks to what can go wrong at the assertion level.

Considers whether the risks are of a magnitude that could result in a material misstatement of the financial statements.

Considers the likelihood that risks could result in a material misstatement in the financial statements.

Documentation

The discussion among the audit team.The understanding of aspects of the entity and its

environment, including the components of internal control; the sources from with the understanding was obtained; and the risk assessment procedures.

The significant risks and the risks for which substantive procedures alone are not sufficient and the controls related to those risks that were evaluated.

The results of the risk assessment at both the financial statement level and at the assertion level and the basis for the assessment.

Performing Audit Procedures

Overall ResponsesAudit Procedures Responsive to Risks of Material

Misstatement at the Relevant Assertion LevelSufficiency and Appropriateness of the Audit

Evidence ObtainedDocumentation

Performing Audit Procedures

Perform test of controls to obtain audit evidence about their operating effectiveness when the auditor’s assessment of risks of material misstatements at the assertion level is based on an expectation that controls are operating effectively.

Perform tests of controls to obtain evidence about their operating effectiveness when the auditor has determined that it is not possible or practicable to reduce the risk of material misstatement at the assertion level to an appropriately low level with audit evidence obtained only from substantive procedures.

Performing Audit Procedures

Determine what additional audit evidence should be obtained for the remaining period when the auditor obtains audit evidence about the operating effectiveness of controls during an interim period.

Obtain audit evidence through a combination of inquiry, observation, and inspection about whether changes in specific controls have occurred since evidence about their operating effectiveness was obtained in a previous audit if the auditor plans to use that evidence in the current audit.

Performing Audit Procedures

Obtain audit evidence about whether changes in specific controls have occurred since evidence about their operating effectiveness was obtained in a previous audit if the auditor plans to use that evidence in the current audit. If such controls have changed since they were last tested, test

their operating effectiveness in the current audit. If such controls have not changed since they were last tested,

test their operating effectiveness at least every third audit.

Performing Audit Procedures

Plan and perform substantive procedures for each material class of transactions, account balance and disclosure irrespective of the assessed risk.

Perform substantive procedures, consisting of tests of details alone or tests of details combined with substantive analytical procedures that are specifically responsive to significant risks.

Performing Audit Procedures

Test during each audit the operating effectiveness of some controls where there are a number of controls for which the auditor determines that it is appropriate to use audit evidence obtained in prior audits.

Performing Audit Procedures

If the auditor plans to rely on controls to mitigate a “significant risk”, obtain all evidence about the operating effectiveness of such controls from tests of controls performed in the current audit.

Internal Control Documentation

Routine Processes.Non-Routine and Estimation Processes.

If the entity does not have the necessary resources to effectively execute estimation and non-routine processes, then a likely material weakness exists under the new audit standards.

Internal Control Documentation

Financial Statement Closing Process. Identification and timely analysis and adjustment of

significant accounts which require sensitive estimates and judgments.

Recording journal entries. Reconciling key accounts to their subsidiary records. Agreeing the financial records to the amounts and

disclosures in the financial statements. Determining that all required disclosures are made.

Internal Control Documentation

Financial Statement Closing Process. Documentation of accounting policies. Support for financial statement disclosures. The governing body’s review and approval of the financial

statements. If the entity does not have the necessary resources to

effectively apply GAAP to recording the entity’s financial statements or prepare its financial statements, then a likely material weakness exists under the new audit standards.

Internal Control Documentation

Information Technology Processes. General controls - policies and procedures that relate to

many applications and support the effective functioning of application controls by helping to ensure the continued proper operation on information systems.

Application controls - apply to the processing of individual applications.

Overall Responses

Determine the overall responses to address the risks of material misstatements at the financial statement level.

Audit Procedures Responsive to Risks of Material Misstatement at Relevant Assertion Level

Cannot rely on control tests alone for material matters

Cannot rely on analytics alone for material matters

Evaluating the Sufficiency and Appropriateness of Audit Evidence Obtained

Results must be evaluated togetherMatter of professional judgment

Documentation

The overall responses to address the assessed risks of misstatement at the financial statement level.

The nature, timing and extent of the audit procedures.The linkage of those procedures with the assessed risks at

the assertion level.The results of audit procedures.The conclusions reached with regard to the use in the

current audit of audit evidence about the operating effectiveness of controls that was obtained in a prior audit.

Audit Sampling

Sample size selected by non-statistical methodologies must approximate the sample sizes had statistical methods been used.

Gone are the days when audit teams pulled a sample size out of the air “based on professional judgment”

Audit Evidence and Evaluation

Audit evidence All of the information used by the auditor in arriving at

the conclusions on which the audit opinion is based.Provides additional guidance on the reliability of various

kinds of evidence.

So, Let’s Try It!!

Where do we start??

Internal Control Documentation

Identifying entity level controls.Identifying significant accounts, groups of accounts or

classes of transactions.Identifying significant underlying processes.Preparing documentation of processes.Performing walk-throughs.Asking what could go wrong questions.Identifying controls to mitigate the potential

misstatements.Assessing the likelihood that a failure could be material to

the entity’s financial statements.Relating controls to financial statement assertions.

Entity Level Controls

Control EnvironmentRisk AssessmentInformation and CommunicationControl ActivitiesMonitoring

Control Activities

What could go wrong? Questions.If key controls are absent then there is at least a

significant deficiency in the internal control design.

Control Activities

Matrix Financial statement assertion, “What could go wrong?” questions, Key controls, Control type – preventative or detective, Control activity processed by, Manual or IT dependent control, IT general control evaluated, Control effective and Control tested

AssertionsRe-categorizes the five assertions into three categories.

Classes of transactions (5 assertions) Occurrence – Transactions and events that have been

recorded have occurred and pertain to the entity. Completeness – All transactions and events that have

been recorded have occurred and pertain to the entity. Accuracy – Amounts and other data relating to recorded

transactions and events have been appropriately recorded.

Cutoff – Transactions and events have been recorded in the correct accounting period.

Classification – Transactions and events have been recorded in the proper accounts.

Assertions Account balances (4 assertions)

Existence – Assets, liabilities, and equity interests exist Rights and Obligations – The entity holds or controls the

rights to the assets, and liabilities are the obligation of the entity.

Completeness – All assets, liabilities and equity interests that should have been recorded have been recorded

Valuation and Allocation – Assets, liabilities and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded.

Assertions Presentation and disclosure (4 assertions)

Occurrence and Rights and Obligations – Disclosed events and transactions have occurred and pertain to the entity.

Completeness – All disclosures that should have been included in the financial statements have been included.

Classification and Understandability – Financial information is appropriately presented and described and disclosures are clearly expressed.

Accuracy and Valuation – Financial and other information are disclosed fairly and at appropriate amounts.

Risk Assessment Overview

Fraud Risk Factors

Respond

Risk Assessment

New Process

Brainstorming

InquiriesAnalytical

Procedures

Other

Questions?

Rob Lent, CPA, CGFM 1-412-535-5500 rlent@md-cpas.com