New Audit Risk Standards Are You Ready? John P. Langan, CPA Principal in Charge Public Service Group Metro, DC Office LarsonAllen LLP

2 Learning Objectives Gain a Historical Perspective on an Evolving Audit Approach Receive an Overview of the New AICPA Audit Standards: SAS Share Implementation Experiences: SAS 103 & 112 Understand the Basic Concepts Inherent in the New Audit Risk Standards SAS Identify Specific Ways to Prepare for Addressing the Standards with your Board, Management and Auditors Receive Tools and Resources to Support Your Related Responsibilities

3 Three Audience Perspectives Association Financial & Management Professionals Public Accounting Professionals Other Association Advisors

4 Historical Perspective Expectations “GAAP” How Auditors Traditionally Audited Non-Profits Treadway Commission & COSO The Go-Go 90’s: For-Profit & Non-Profit Fraud Fall of Arthur Andersen

5 Historical Perspective Statement on Auditing Standards No. 99-Active Consideration and Search for Fraud New Ethics Rules on Auditor Independence: AICPA,OMB Sarbanes-Oxley For Public Companies: Rule 404 NFP Implications of Sarbanes-Oxley –Rise in Audit Committees* –Whistle Blower, Document Retention, Conflict of Interest Policies –Increase in Audit RFP’s –Internal Audit Function –Risk Assessment & Monitoring *Resource: (AICPA NFP Audit Toolkit

6 Relevant Questions What &Where are the Risks of Fraud in NFPs? What & Where are the Risks of Material Misstatement in the Financial Statements? Where do Management’s Responsibilities End and The Auditor’s Begin? How Can The Audit Process Be More Efficient & Effective?

7 Overview of SAS Statements on Auditing Standards (SAS) Released June 2006 Impact Audits For All Industries & Entities Not Just NFP’s SAS 102 Defining Terms in Prior Statements SAS 103 Audit Documentation/Report Dating SAS Risk Assessment Standards SAS 112 Evaluating Control Deficiencies SAS 113 Omnibus Statement Revising Prior Statements SAS 114 Communications with Those Charged with Governance. Supersedes SAS 61

8 Key Statements & Effective Dates SAS 103 & 112 Effective Years Ending On or After 12/31/06 SAS Effective Years Ending On or After 12/31/07 AICPA Risk Alert* Summarizes SAS * Available on FAR Web Site:

9 SAS 103 & 112 Look-back Key Concepts SAS 103 Sufficient Audit Documentation To Support Audit Opinion Report Dating 60 day audit file lock-down SAS 112 Communicate deficiencies in design and implementation –Since we are assessing more control risks, we may have more control deficiencies to report Types of control deficiencies –Inconsequential deficiency (oral) –Significant deficiency (written- SAS 112 & Single Audit Findings) –Material weakness (written- SAS 112 & Single Audit Findings))

10 SAS 103 & 112 Look-back SAS 103 More Timely Audit Reporting Planning Counts (Auditor, Management, Audit Committee) Potential For The Never Ending Audit: Subsequent Events/Updated Representations Potential For Audit Committee Meetings “On The Fly” SAS 112 Lack of Uniformity in Auditor Application Reactions & Re-Audits: Speaker War Stories Share Your Experiences: Auditor & Client

11 Primary Objective of New SASs A more in-depth understanding of the client and its environment, including its internal control More rigorous risk assessments A more direct link between identified risks and audit procedures performed Better communication of internal control matters

12 New Requirements For Your Auditor Trying to reduce the risk of material misstatement in the financial statements Must reduce overall audit risk to a level of “low” Must obtain a sufficient understanding of the entity and its environment, including internal control (walk-through, non- program inquiries) Must perform risk assessment procedures Must link identified risks (e.g., inherent risks, control risks, detection risks) to audit procedures Must evaluate internal control for significant risks Must test controls when relevant or necessary Must communicate with those charged with governance

13 SAS SAS 104 Amends SAS 1 Due Professional Care SAS 105 Amends SAS 95 Generally Accepted Auditing Standards SAS 106 Audit Evidence SAS 107 Audit Risk & Materiality SAS 108 Audit Planning & Supervision

14 SAS SAS 109 Understanding The Entity and Its Environment Assessing The Risks of Material Misstatements SAS 110 Performing Audit Procedures in Response to Assessed Risk and Evaluating the Audit Evidence Obtained SAS 111 Amends SAS 39 Audit Sampling

15 Risk Assessment What can go wrong in the financial statements? Understand entity and environment Understand risks of the entity Understand the risks in financial reporting including and beyond fraud Understand internal controls designed to mitigate risks –Entity-level controls (tighter written procedures) –Activity-level controls (coordination w/IT) Determine if controls have been implemented Not just auditor inquiry Corroborating evidence required (duplicate inquiries, written documentation)

16 Key Concept: Supporting Financial Statement Assertions You Must Support Financial Statement Assertions: 1.Occurrence and Existence 2.Rights and Obligations 3.Completeness 4.Accuracy, Valuation and Allocation 5.Cut-off 6.Classification and Understandability See Matrix in AICPA Audit Risk Alert (13 in Standards summarized as 6 above)

17 Key Concept: Supporting Assertions Assertions Evaluated in Three Areas: 1.Classes of Transactions and Events During The Period 2.Account Balances at the End of the Period 3.Presentation and Disclosure See Matrix in AICPA Audit Risk Alert

18 Gaining Understanding of Internal Control Five components of the COSO Integrated Framework*: 1.Control Environment 2.Risk Assessment 3.Information and Communication Systems 4.Monitoring 5.Control Activities *Executive Summary: Internal Control over Financial Reporting For Small Public Companies available on FAR Web Site:

19 Gaining Understanding of Internal Control Internal control –Evaluate the design –Capable of effectively preventing, detecting, and correcting material misstatements –Addresses significant risks and fraud risks Has been implemented –Actually exists and entity is using it –Aware of control and responsibility for performance –Working knowledge of how to perform –Inquiry alone not sufficient (e.g., walkthroughs) Include information technology controls Include controls for service organizations utilized

20 Opportunity and Benefits Have you evaluated entity risks in a formal manner? Have you designed and implemented control procedures to address entity risks? Understand your organization’s risks for material misstatement of financial statements (not just fraud) and how your organization’s internal control reduces those risks (see sample Risk Assessment on FAR website). Results: –Improved risk management at your organization. –Potential changes to more efficient audit procedures.

21 What Can You Do To Prepare? Meet with your Auditors and plan for –Additional inquiries –Additional corroborating evidence –Additional documentation needed –Identification of documentation you currently have Educate your Management & Audit Committee with resources and tools identified Initiate an internal Risk Assessment and Monitoring Process to support the five elements of internal control and financial statement assertions

Questions & Discussion