Auditing Standards Update Ensuring Integrity: Third Annual Auditing Conference Harold L. Monk, Jr. CPA, CFE

Session Objectives Session Objectives Discuss recent ASB activity and obtain an understanding of recently issued auditing and quality control standards. Discuss recent ASB activity and obtain an understanding of recently issued auditing and quality control standards. Discuss other recent audit activities and obtain an understanding of guidance available to assist practitioners in improving the effectiveness and efficiency of their engagements and practices. Discuss other recent audit activities and obtain an understanding of guidance available to assist practitioners in improving the effectiveness and efficiency of their engagements and practices.

Recent Auditing Standards Board Activities Clarity Project

Clarity Background Background –Discussion paper issued March 2007 –ASB considered comments received and approved direction forward August 2007 Goals: Goals: –Address concerns over length and complexity of standards –Make standards easier to read, understand and implement –Will lead to enhancements in audit quality

Clarity Drafting Conventions Introduction Introduction Objective Objective Definitions Definitions –Terms used in the SAS are defined –Establish separate glossary of terms Requirements and Application Material Requirements and Application Material

Objective Create objectives for each standard Create objectives for each standard Establish obligation relating to the objective Establish obligation relating to the objective Provide a framework for the application of professional judgment Provide a framework for the application of professional judgment Outcome based goal Outcome based goal Difficult to achieve the overall objective of the audit if individual objectives are not achieved Difficult to achieve the overall objective of the audit if individual objectives are not achieved

Requirements and Application Material Application and other explanatory material presented in a separate section that follows the requirements Application and other explanatory material presented in a separate section that follows the requirements Application and other explanatory material paragraphs numbered using an A prefix Application and other explanatory material paragraphs numbered using an A prefix Cross-referencing between requirements and related application material Cross-referencing between requirements and related application material

Other Special considerations sections Special considerations sections –for governmental entities –for smaller, less complex entities

ConvergenceOf Auditing Standards

Convergence means my way

What do the words mean?

Other challenges: Large vs. Small

Other challenges: Rules vs. Principles

Clarity and Convergence Convergence with ISAs Convergence with ISAs –Removal of unnecessary differences Supplemental materials with EDs Supplemental materials with EDs –Exhibit of substantive differences with ISA –Mapping of the requirements and guidance contained within extant AU section to the proposed SAS; and –Schedule of proposed changes in requirements and explanatory material as a result of redrafting. –Schedule of detailed changes in language between the proposed SAS and the ISA.

Audit and Attest Update Clarity Project Project will take years to complete Project will take years to complete During this period, few new standards will be issued During this period, few new standards will be issued –Only those that are needed to respond to emerging issues (e.g. SAS 74) “Clarified standards” will be exposed over the next few years and finalized “Clarified standards” will be exposed over the next few years and finalized –Target date for final approval June 2010

Audit and Attest Update Clarity Project Once finalized, they’ll be made available to practitioners. Once finalized, they’ll be made available to practitioners. However, the standards will not become effective piecemeal. However, the standards will not become effective piecemeal. With limited exceptions, all “clarified standards” will become effect at the same time With limited exceptions, all “clarified standards” will become effect at the same time –Most likely 2011

Audit and Attest Update Risk Assessment Standards SASs

Risk Assessment Standards The risk assessment standards consist of: The risk assessment standards consist of: –SAS No. 104, Amendment to Statement on Auditing Standards No. 1 –SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards –SAS No. 106, Audit Evidence –SAS No. 107, Audit Risk and Materiality in Conducting an Audit (Audit Risk and Materiality) –SAS, No. 108, Planning and Supervision –SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Assessing Risks) –SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Performing Procedures) –SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling

Background Objective is to guide auditors to areas of greatest risk whether caused by error or fraud Objective is to guide auditors to areas of greatest risk whether caused by error or fraud Issued in March Issued in March Effective for periods beginning after 12/15/06. Effective for periods beginning after 12/15/06.

Risk Assessment Standards Enhances the auditor’s application of the audit risk model in practice by requiring: Enhances the auditor’s application of the audit risk model in practice by requiring: –More in-depth understanding of the entity and its environment, including its internal control –More rigorous assessment of the risks of material misstatement –Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed

Overview of Risk Assessment Process Perform risk assessment procedures Gain an understanding of the entity Assess the risks of material misstatement Overall financial statement Level Assertion Level Overall Responses Further audit procedures Evaluate Sufficiency of Audit Evidence

Q&A—Internal Control Question—Can I still default to a maximum control risk? Question—Can I still default to a maximum control risk? Answer—No. The standards require that the auditor obtain a sufficient understanding of the five components of the client’s internal control to assess control risk. Answer—No. The standards require that the auditor obtain a sufficient understanding of the five components of the client’s internal control to assess control risk. TIS

Q&A—Internal Control Question—The standards say the auditor should test controls when they have an “expectation of the operating effectiveness of controls.” What does that phrase mean? Question—The standards say the auditor should test controls when they have an “expectation of the operating effectiveness of controls.” What does that phrase mean? Answer—It means the auditor’s initial assessment of control risk is at less than maximum; and the auditor’s strategy contemplates a combined approach. Answer—It means the auditor’s initial assessment of control risk is at less than maximum; and the auditor’s strategy contemplates a combined approach. TIS

Q&A—Internal Control Question—Can an auditor design a substantive audit approach even if the auditor’s assessment of internal control causes him or her to believe that controls are designed effectively? Question—Can an auditor design a substantive audit approach even if the auditor’s assessment of internal control causes him or her to believe that controls are designed effectively? Answer—Yes, if the auditor believes that the costs of testing controls exceeds the benefits of testing. (Consider there are numerous assessments, not one.) Answer—Yes, if the auditor believes that the costs of testing controls exceeds the benefits of testing. (Consider there are numerous assessments, not one.) TIS

Q&A—Inherent Risk Question— Inherent risk is “the susceptibility of a relevant assertion to a misstatement that could be material… assuming that there are no related controls.” Can an auditor ignore all controls if the auditor assesses inherent risk as low? Question— Inherent risk is “the susceptibility of a relevant assertion to a misstatement that could be material… assuming that there are no related controls.” Can an auditor ignore all controls if the auditor assesses inherent risk as low? Answer—No. A low inherent risk does not mean a low risk of material misstatement. The auditor is required to assess RMM (IR X CR). Be careful as to assumed controls. Answer—No. A low inherent risk does not mean a low risk of material misstatement. The auditor is required to assess RMM (IR X CR). Be careful as to assumed controls. TIS

Q&A—Use of Walkthroughs Question—How often do walkthroughs need to occur? Question—How often do walkthroughs need to occur? Answer—Auditors will most likely perform walkthroughs annually to document their understanding of internal control and to establish the continued reliance of audit evidence obtained in prior periods. Answer—Auditors will most likely perform walkthroughs annually to document their understanding of internal control and to establish the continued reliance of audit evidence obtained in prior periods. TIS

Q&A—Journal Entries Question—Paragraph 52 of SAS No. 110 refers to “adjustments made during the course of preparing the financial statements” to address entries prepared by the client during the process of drafting the financial statements (rather than all entries posted in the accounting system at year end). Is this correct? Question—Paragraph 52 of SAS No. 110 refers to “adjustments made during the course of preparing the financial statements” to address entries prepared by the client during the process of drafting the financial statements (rather than all entries posted in the accounting system at year end). Is this correct? Answer—Yes, this requirement relates to entries posted during the financial statement closing process. SAS 99 establishes requirements to test journal entries during the audit period. TIS Answer—Yes, this requirement relates to entries posted during the financial statement closing process. SAS 99 establishes requirements to test journal entries during the audit period. TIS

Risk Assessment Standards Resources available Resources available –Audit Guide – Assessing and Responding to Audit Risk in a Financial Statement Audit –Audit Risk Alert – Issued in March 2006 –CPE Courses –Articles in JOA –Technical Practice Aid

Audit and Attest Standards Update Revisions of AT 501 And SAS 112

Revisions of AT 501 ASB task force worked with bank regulators to revise AT 501 ASB task force worked with bank regulators to revise AT 501 –Incorporates elements of PCAOB AS5 Finalized in August, 2008 Finalized in August, 2008 Revised AT 501 is to be effective for years ending on or after December 15, 2008 Revised AT 501 is to be effective for years ending on or after December 15, 2008 –Most firms who would use AT 501 will already be using AS 5

Revisions of AT 501 Like AS 5, an AT 501 examination is an integrated engagement with the audit of the financial statements. Like AS 5, an AT 501 examination is an integrated engagement with the audit of the financial statements. Will only be able to use AT 501 when financial statements are also audited Will only be able to use AT 501 when financial statements are also audited Examining and reporting on only design effectiveness of internal control has been moved to AT 101 and then audited financial statements are not required. Examining and reporting on only design effectiveness of internal control has been moved to AT 101 and then audited financial statements are not required.

Revisions of AT 501 A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected on a timely basis. –Note: There is a reasonable possibility of an event, as used in this Statement, when the likelihood of the event is either "reasonably possible" or "probable," as those terms are used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies

Revisions of AT 501 A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Revisions of SAS 112 Conforming changes have been made using these same definitions. Conforming changes have been made using these same definitions. Definitional changes will be effective in 2009 (early implementation will be allowed). Definitional changes will be effective in 2009 (early implementation will be allowed). Other changes will be made through the clarity project at a later date. Other changes will be made through the clarity project at a later date.

Audit and Attest Standards Update Other Current ASB Projects

Audit and Attest Standards Update Other Current ASB Projects Revisions to SAS 74 and other conforming changes in response to PCIE report Revisions to SAS 74 and other conforming changes in response to PCIE report Revisions to SAS 70 Revisions to SAS 70 –Move Service Organization examination to AT Standards Revisions to auditing estimates and fair value Revisions to auditing estimates and fair value Finalize SAS 69 to remove GAAP hierarchy for FASB incorporation Finalize SAS 69 to remove GAAP hierarchy for FASB incorporation Revise AU 534 “Financial Statements Prepared for Use in Other Countries” now that IFRS is recognized as equivalent U.S. GAAP Revise AU 534 “Financial Statements Prepared for Use in Other Countries” now that IFRS is recognized as equivalent U.S. GAAP

SAS 74 Amendments Amend SAS 74 to provide additional auditing guidance when an audit of compliance is performed in connection with a GAAS and GAGAS audit of financial statements (i.e. OMB A-133 Audit). Amend SAS 74 to provide additional auditing guidance when an audit of compliance is performed in connection with a GAAS and GAGAS audit of financial statements (i.e. OMB A-133 Audit). A Compliance examination performed when an audit is not required, would continue to be performed under AT 601 A Compliance examination performed when an audit is not required, would continue to be performed under AT 601

TPA Issued on AU 543 Use of Other Auditors Question—Can U.S. auditor divide responsibility and refer to other auditor’s report if other audit was conducted in accordance with International Standards of Auditing or another country’s auditing standards? Question—Can U.S. auditor divide responsibility and refer to other auditor’s report if other audit was conducted in accordance with International Standards of Auditing or another country’s auditing standards? Answer—No, presumption is that audit of group was conducted in accordance with auditing standards generally accepted in the U.S. Answer—No, presumption is that audit of group was conducted in accordance with auditing standards generally accepted in the U.S.

Audit and Attest Standards Update Statement of Quality Control Standard 7

SQCS No. 7 Issued October 2007 Issued October 2007 Effective as of January 1, 2009 Effective as of January 1, 2009 Supersedes all previous SQCSs Supersedes all previous SQCSs

SQCS No. 7 The firm must establish a system of quality control designed to provide it with reasonable assurance that: –The firm and its personnel comply with professional standards and applicable regulatory and legal requirements, and –Reports issued are appropriate in the circumstances

SQCS No. 7 A system of quality control consists of: Policies designed to achieve these objectives and Policies designed to achieve these objectives and The procedures necessary to implement and monitor compliance with those policies. The procedures necessary to implement and monitor compliance with those policies.

SQCS No. 7 Documentation and Communication Required to document QC policies and procedures. Required to document QC policies and procedures. –Extent based on firm characteristics Required to communicate QC policies and procedures to personnel. Required to communicate QC policies and procedures to personnel. –More effective if in writing, but not required to be.

Required Elements of QC System Leadership responsibilities for quality within the firm (the “tone at the top”) Leadership responsibilities for quality within the firm (the “tone at the top”) Relevant ethical requirements Relevant ethical requirements Acceptance and continuance of client relationships and specific engagements Acceptance and continuance of client relationships and specific engagements Human resources Human resources Engagement performance Engagement performance Monitoring Monitoring

Tone at the Top Objective – Promote a quality- oriented internal culture Requires firms to assign its management responsibilities so that commercial considerations do not override the quality of work performed. Requires firms to assign its management responsibilities so that commercial considerations do not override the quality of work performed. Address personnel performance evaluation, compensation and advancement to demonstrate the firm’s overarching commitment to quality. Address personnel performance evaluation, compensation and advancement to demonstrate the firm’s overarching commitment to quality.

Questions?