Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Standards What You Need To Know NEELY DUNCAN, CPA, CFE, FCPA AUDIT mANAGER June 19, 2008.

Published byErica Hancock Modified over 9 years ago

Similar presentations

Presentation on theme: "Risk Assessment Standards What You Need To Know NEELY DUNCAN, CPA, CFE, FCPA AUDIT mANAGER June 19, 2008."— Presentation transcript:

1 Risk Assessment Standards What You Need To Know NEELY DUNCAN, CPA, CFE, FCPA AUDIT mANAGER
June 19, 2008

2 Introduction Welcome Agenda Risk assessment standards
Impact on your audit Benefits to your organization Requirements Internal control deficiencies What can you do to help (and keep audit costs down) We are glad you are here and interested in learning more about the new risk assessment standards and preparing your companies for your upcoming audit. As you have begun to realize, the risk assessment standards impact more than just us auditors. It impacts us all. Our goal today is to provide you with a better understanding of the following: Requirements of the risk assessment standards Internal control and all of its components The impact on your audit Warning - This 1 hour seminar will not be all that you need to fully understand internal control and what is required of you. You will likely need to spend more time reading more about these topics. We have attempted to identify and provide you with helpful examples and resources. Hopefully this information will serve as a starting point from which to prepare for next year’s audit. We want to help you along the process and equip you as best we can in order to make the audit as smooth and efficient as possible. Lane Gorman Trubitt, L.L.P /19/08

3 Risk Assessment Standards
Auditing profession continually reviews practices and makes necessary improvements. Goal is to maintain and enhance the quality of independent audits and achieve international convergence Post Enron and Sarbanes-Oxley - Higher expectations of auditors Require sweeping changes in our audit process. Will result in increased effort by both your company and your auditors. Effective for audits of financial statements for periods beginning on or after December 15, 2006. In March 2006, the Auditing Standards Board issued eight new auditing standards, collectively referred to as the risk assessment standards. Most auditors believe that the changes caused by the risk assessment standards are the most significant in recent history. There were several reasons for issuing these new standards. One reason was to maintain and enhance the quality of independent audits, which have come under significant scrutiny in recent years. Another reason was to achieve convergence with international standards on auditing. Whatever the reasons, our firm and the profession are required to comply with the provisions of these new standards, which will be effective for your December 31, 2007 audit. These standards will require sweeping changes in our audit process. I want to reassure you that the audits we have performed for your company in the past have been in full compliance with the standards in effect at the time. Those audits have been effective and we have streamlined our procedures whenever possible to reduce audit time. However, the audit industry is undergoing change and as a result, the Auditing Standards Board issued these new standards to improve the overall effectiveness of audits. The scope of the changes required by the new standards will have a significant impact on you, our client. We anticipate that future audits will require an overall increase in effort by both your company and our audit firm. In making this transition, we will leverage our existing knowledge of your company and industry wherever possible. We developed this presentation to provide you with information on the basics of the standards, how they will impact you and your audit, and what you can do to assist us in making the audit process as efficient as possible. Lane Gorman Trubitt, L.L.P /19/08

4 What is Risk Assessment?
More focused audit approach. Considers at a detailed level what can go wrong in your accounting records and in the preparation of your financial statements. Identifies areas where material errors or fraud are more likely to occur. Concentrates audit effort in those areas. Depends on the depth of our understanding of your company, industry, and internal controls. The term “risk assessment” refers to a focused audit approach in which we consider at a detailed level what can go wrong in your accounting records and in the preparation of your financial statements. The purpose is to identify areas where material errors or fraud are more likely to occur. We then concentrate our audit effort in those areas. An area may have a higher risk of error or fraud because of the nature of your business or the types of transactions that make up the account being audited. Or the area may have a higher risk of error or fraud because internal controls are not in place to prevent or detect a misstatement. Risk assessment requires us to identify the things that could go wrong—when you process and record transactions, make journal entries to close the books, determine the appropriate values for assets and liabilities under GAAP, and prepare the financial statements and disclosures—that could lead to a material error or fraud. Our ability to assess risks at that level depends to a great extent on the depth of our understanding of your company, its industry, and its internal controls. Let me explain further the specific new requirements of the risk assessment standards and how your audit will be impacted. Lane Gorman Trubitt, L.L.P /19/08

5 Risk Assessment Standards
SAS 104 Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards & Procedures SAS 105 Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards SAS 106 Audit Evidence SAS 107 Audit Risk & Materiality in Conducting an Audit SAS 108 Planning & Supervision SAS 109 Understanding the Entity and Its Environment & Assessing the Risks of Material Misstatement SAS 110 Performing Audit Procedures in Response to Assessed Risks & Evaluating the Audit Evidence Obtained SAS 111 Amendment to Statement on Auditing Standards No. 39, Audit Sampling SAS 114 The Auditor’s Communication With Those Charged With Governance Lane Gorman Trubitt, L.L.P /19/08

6 Risk Assessment Standards
The objectives of the SASs are to improve audit effectiveness by requiring: A more in-depth understanding of the entity and its environment, including its internal control. More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the financial statements. A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks. Lane Gorman Trubitt, L.L.P /19/08

7 Impact to 2007 audits Planning and supervision
Signed engagement letter before planning starts. Approved communication from Audit Committee. Requires more time from managers. Knowledge of business and internal control assessment will add substantially more time. Inquiry regarding internal control not enough – need to verify by doing walkthroughs of all major cycles. Required to assess key IT controls, security & changes – may need IT specialist. Obtain Type II SAS 70 reports for significant outsourced services – for instance, payroll, claims processing, etc. Three planning meetings will be necessary for your auditors. Determine what info to gather and how – walkthroughs, etc. Perform risk assessment including fraud brainstorming Responses to risks – develop audit plan and tailor programs Lane Gorman Trubitt, L.L.P /19/08

8 Impact to 2007 audits (cont)
Risk assessment Risk based audit approach required – not a philosophical change for us. No longer can assess control risk at maximum and do no work on controls. Risk assessment much more detailed than we used in the past. Risk by assertions to transaction cycle, accounts and disclosures Documentation increased Linkage to audit assertions, procedures, workpapers and conclusions Will require more time from audit team management. Lane Gorman Trubitt, L.L.P /19/08

9 Impact to 2007 audits (cont)
Other matters Many more management letter comments. Some clients will view this as adding value while others will view this as a problem. 2006 saw that all clients had at least one material weakness – they don’t prepare their F/S, we do. This will be reported every year, unless the client can take responsibility for them. Bottom line estimated impact to fees: Industry says 15-40% Our estimate 10-15% Lane Gorman Trubitt, L.L.P /19/08

10 What are the Benefits to You?
A more thorough, effective, and focused audit. We will be better able to— Provide useful information Identify problems or opportunities and make recommendations Assist with special projects Recommended improvements can help you avoid unexpected losses or expenses. Better overall internal control. While the implementation of the risk assessment standards will result in an increase in the amount of effort by your personnel, we anticipate that there will be some benefits to you. For example, under these new standards, you will receive a more thorough, effective, and focused audit. In addition, the risk assessment standards require us to obtain an understanding of your company and your industry beyond what was required by previous standards. That includes obtaining information about your business objectives and strategies and the related risks. It also includes obtaining a more in-depth understanding of your internal controls. That greater understanding can benefit you in several ways. For example, we will be better able to— Provide Useful Information. Useful information might include providing you with an important contact to help you achieve your strategic objectives or facilitating a discussion with an owner of another company facing similar issues. We hope we can make your life easier by being a valuable source of constructive business advice. Identify Problems or Opportunities and Make Recommendations. As we discussed, we expect to report more control deficiencies than we have in the past. Correcting those will help you strengthen your ability to detect errors or fraud. Our expanded knowledge may also help us provide more meaningful recommendations in other areas, such as operational efficiency or expense reductions. Assist with Special Projects. For example, we might be better able to help you develop effective antifraud programs and controls or draft a policies and procedures manual. We would be happy to discuss these opportunities with you in more detail. The benefits of even one recommendation that helps you meet the company’s strategic goals and objectives or saves you from costly errors or theft can more than compensate for any increased audit fees. Lane Gorman Trubitt, L.L.P /19/08

11 What are the Requirements?
Obtain Understanding Identify Risks Perform Risk Assessment Link Risk Assessment to Audit Procedures Meet New Documentation Requirements Obtain a more in-depth understanding of your company and its operating environment, including internal controls. Identify the specific risks of material errors or fraud occurring and remaining undetected by you, along with the actions you are taking to mitigate those risks. Perform a rigorous assessment of the risks of material misstatement of your financial statements based on that understanding. Link that risk assessment with the resulting audit procedures. Meet new documentation requirements. In general, the risk assessment standards require us to obtain a more in-depth understanding of your company and the environment in which you operate. This includes your internal control. We will use this understanding to identify the specific risks of material errors or fraud occurring and remaining undetected by you. We will also identify any actions you are taking to mitigate those risks. Based on that knowledge, we are required to assess the risk that a material error or fraud could occur in your financial statements, including where and how the misstatement could occur. The risk assessment standards then require us to link our risk assessment with the resulting audit procedures that we perform to detect potential material misstatements. Throughout this process, we are required to document more information about your operations and controls, our audit procedures, and our risk assessment than we have been required to document in the past. The standards re-visit key audit concepts, including: materiality, the nature of audit evidence, internal control, audit planning, and the evaluation of misstatements. Lane Gorman Trubitt, L.L.P /19/08

12 In-depth Understanding Of Company
Auditors are required to gather information to gain an in-depth understanding of the company and its environment. Obtain Understanding Includes the following aspects: External factors Nature of the client Objectives and strategies and related business risks Measurement and review of the company’s financial performance Internal control On every audit you are required to gather information and obtain an understanding of the client and its environment. This understanding consists of the following aspects. • External factors, including — Industry factors such as the competitive environment, supplier and customer relationships, and technological developments. — The regulatory environment, which includes relevant accounting pronouncements, the legal and political environment, and environmental requirements that affect the industry. — Other matters such as general economic conditions. • Nature of the client, which includes its operations, its ownership, governance, the types of investments it makes and plans to make, how it is financed, and how it is structured. • Objectives and strategies and related business risks, which may result in material misstatement of the financial statements taken as a whole or individual assertions. • Measurement and review of the client's financial performance, which tells you which aspects of the client's performance that management considers to be important. • Internal control, which consists of five components: the control environment, risk assessment, information and communication, control activities, and monitoring. These components may operate at the entity level or the individual transaction level. To obtain an appropriate understanding of internal control will require you to understand and evaluate the design of all five components of internal control and to determine whether the controls are in use by the client. Lane Gorman Trubitt, L.L.P /19/08

13 Identify Risks of Material Misstatements
Based on the auditor’s understanding of the design and implementation of the company’s controls, identify those areas where material errors or fraud could occur. Identify Risks Consider: Significance of transactions, account balances, and disclosures to the financial statements Effectively designed controls that are in place We will use this understanding to identify the specific risks of material errors or fraud occurring and remaining undetected by you. We will also identify any actions you are taking to mitigate those risks. Lane Gorman Trubitt, L.L.P /19/08

14 Perform Risk Assessment
Required to assess the risk of material misstatement at: Financial statement level – pervasive to financial statements as a whole and potentially affect many relevant assertions Relevant assertion level – relate to specific classes of transactions, account balances, and disclosures at the assertion level Perform Risk Assessment Based on that knowledge, we are required to assess the risk that a material error or fraud could occur in your financial statements, including where and how the misstatement could occur. RMM is a combination of inherent risk and control risk. Which basically says, how inherently risky is the account or disclosure item and what is the risk that the Company’s internal controls wouldn’t prevent or detect a material misstatement. Lane Gorman Trubitt, L.L.P /19/08

15 Perform Risk Assessment (continued)
Financial statement level risks should be related back to specific assertions. Examples of financial statement level risks – Overall weak control environment Lack of qualified personnel in financial reporting roles Management's process for making significant accounting estimates Perform Risk Assessment Lane Gorman Trubitt, L.L.P /19/08

16 Perform Risk Assessment (continued)
Examples of relevant assertion level risks – Existence of accounts receivable Occurrence of sales Valuation of inventory Presentation and disclosure of debt covenant compliance Perform Risk Assessment Lane Gorman Trubitt, L.L.P /19/08

17 Assertions What are assertions?
Management’s implicit or explicit representations regarding the recognition, measurement, presentation and disclosure of information in the financial statements Our audit approach is generally directed at specific assertions in order to properly link the assessed risks to our audit procedures. Lane Gorman Trubitt, L.L.P /19/08

18 Link Risk Assessment to Audit Procedures
Assessment of risk of material misstatement (at both the financial statement and assertion level) should be directly linked to the design and performance of audit procedures. Audit programs and checklists must be tailored to reflect this linkage. Examples – Significant accruals that are subject to complex estimation Inventory quantities that are difficult to count could be misstated Link Risk Assessment to Audit Procedures The risk assessment standards then require us to link our risk assessment with the resulting audit procedures that we perform to detect potential material misstatements. Throughout this process, we are required to document more information about your operations and controls, our audit procedures, and our risk assessment than we have been required to document in the past. Lane Gorman Trubitt, L.L.P /19/08

19 New Documentation Requirements
Auditors must have and document an appropriate basis for the audit approach. This requirement eliminates the ability to assess control risk “at the maximum” without having a basis for the assessment (aka “default to max”). “Default to max” – means placing no reliance on a company’s internal control and performing primarily detailed, substantive testing. Typically, “defaulting to max” was considered to be more efficient for companies with a limited control environment. Throughout this process, we are required to document more information about your operations and controls, our audit procedures, and our risk assessment than we have been required to document in the past. Meet New Documentation Requirements Lane Gorman Trubitt, L.L.P /19/08

20 New Documentation Requirements (cont.)
Audit documentation must be prepared in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand: The nature, timing and extent of auditing procedures The results of the audit procedures performed and the audit evidence obtained The conclusions reached on significant matters; and That the accounting records agree or reconcile with the audited financial statements or other audited information Meet New Documentation Requirements Lane Gorman Trubitt, L.L.P /19/08

21 Internal Control Deficiencies
Internal Control Deficiencies fall into three categories under SAS 112: Control Deficiency - A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Can be communicated by the auditors verbally. Significant Deficiency - A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected. Must be communicated by the auditors in writing. Material Weakness - A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. Must be communicated by the auditors in writing. Lane Gorman Trubitt, L.L.P /19/08

22 Objectives – Internal Control
What is internal control? Who is involved in internal control? How to improve internal control This slide describes the main objectives of the session. You should mention how long you expect the session will take and describe how you will take and answer questions (i.e., during the session, as questions arise, or at the end). The audience should understand what Internal Control is and all that it encompasses. Key concerns for the audience will be how to “right-size” internal control and related documentation for the size of their companies. Lane Gorman Trubitt, L.L.P /19/08

23 What is Internal Control?
Establish effective control environment Identify “what can go wrong?” (risk assessment) Implement controls to manage risk (control activities) Implement reliable information system & communicate Monitor control performance Internal Control is a “process” of policies, procedures, attitudes and actions that achieve effective and efficient operations, compliance with laws and regulations, and produce accurate and reliable financial reporting. This slide describes the internal control components described by the COSO framework. It is important that clients leave the session with an appreciation for the breadth and depth of this description of internal control. That is, control is not a one-time event or just a matter of performing a few checks and reconciliations. If your clients understand the comprehensive nature of internal control, they will be much better able to understand why the auditor’s procedures relating to the evaluation of internal control design must be so extensive. Lane Gorman Trubitt, L.L.P /19/08

24 What is Internal Control? (continued)
Entity level controls – Controls that affect the entire organization. “Tone at the Top” What can go wrong; anti-fraud programs Assignment of authority Distribution of financial information; IT general controls Accountability by departments/functions Activity level controls – Controls that capture, process, communicate information. Transaction cycle controls Segregation of duties The auditor is required to assess the internal control components on two levels: at the entity-wide level and at the activity level. Lane Gorman Trubitt, L.L.P /19/08

25 Entity-Level Controls
Control Environment Attitudes, awareness, actions of Owners/Management (those charged with “governance”) Risk Assessment How Owners/Management consider risks and take actions to address them Control Activities Anti-fraud controls IT general controls Information & Communication Capture events that affect reporting Communicate reporting roles/responsibilities Monitoring High-level activities that monitor controls/ overall accountability This slide describes the internal control components described by the COSO framework. It is important that clients leave the session with an appreciation for the breadth and depth of this description of internal control. That is, control is not a one-time event or just a matter of performing a few checks and reconciliations. If your clients understand the comprehensive nature of internal control, they will be much better able to understand why the auditor’s procedures relating to the evaluation of internal control design must be so extensive. Lane Gorman Trubitt, L.L.P /19/08

26 Entity-Level Controls (continued)
What about Smaller Entities? Smaller entities may use less formal means and processes to achieve their control objectives. Therefore certain components of internal control may not be clearly distinguished, but the underlying purpose is equally valid. This slide describes the internal control components described by the COSO framework. It is important that clients leave the session with an appreciation for the breadth and depth of this description of internal control. That is, control is not a one-time event or just a matter of performing a few checks and reconciliations. If your clients understand the comprehensive nature of internal control, they will be much better able to understand why the auditor’s procedures relating to the evaluation of internal control design must be so extensive. Lane Gorman Trubitt, L.L.P /19/08

27 Who is Involved with Internal Control?
Management has primary responsibility. Not just for the accounting department. Consider all aspects of the company that impact internal controls Examples: Hiring, Training, Promoting Operations Sales The first bullet point emphasizes the main objective of the previous slide--internal control spans the entire company. Therefore, the implementation and maintenance of internal control must touch many aspects of the company, most of which are not related to accounting. The last bullet is critical. The participants must leave the session with a sense that they, not the auditors, are primarily responsible for the accounting system and internal control. There are two paragraphs in the pamphlet “Understanding Internal Control” under the heading “management’s Responsibilities.” The last two sentences of these two paragraphs provide two reasons why management must be the ones to take responsibility for the company’s internal control. Lane Gorman Trubitt, L.L.P /19/08

28 Activity Level Controls
Classes of Transactions Account Balances Disclosures Information Procedures to initiate, record, process and report transactions Control Activities Policies and procedures related to assertions IT application controls Segregation of duties, safeguard assets, reconciliations This slide describes the internal control components described by the COSO framework. It is important that clients leave the session with an appreciation for the breadth and depth of this description of internal control. That is, control is not a one-time event or just a matter of performing a few checks and reconciliations. If your clients understand the comprehensive nature of internal control, they will be much better able to understand why the auditor’s procedures relating to the evaluation of internal control design must be so extensive. Lane Gorman Trubitt, L.L.P /19/08

29 How to Improve Internal Control
Ask “what can go wrong?” Design controls to mitigate the risk. Monitor control performance. Set an appropriate tone at the top. Exercise oversight of the financial reporting process. Consider control recommendations identified by auditors. This slide summarizes the presentation by providing the participants with broad suggestions for what they should be thinking about when exercising their responsibilities relating to internal control. These suggestions tie back to the COSO framework, and they should make much more sense to the participants now that they have been through your presentation. Note. When discussing the first bullet point, have the participants turn to the sidebar on page 8 of the pamphlet and walk them through the process for considering “what can go wrong?” Lane Gorman Trubitt, L.L.P /19/08

30 What Can You Do to Help? Document your key controls and perform your own risk assessment. Respond promptly to inquiries and document requests. Expect and prepare your staff for walkthroughs. Communicate your questions or concerns. Look at this as an opportunity to improve controls not another “hoop to jump through”. There are several things you can do to assist us in this process. First, you can prepare your staff to respond to our additional inquiries and our requests for documents and records in a timely manner. You can also prepare them to spend time with us walking through the processing steps for your major transaction processing systems. To the extent you can, preparing or providing us with written documentation of your procedures and controls in advance of the audit would also help. Finally, you can communicate with us about your questions and concerns related to the changes we just discussed so we can resolve any issues you might have before the audit begins. Lane Gorman Trubitt, L.L.P /19/08

Download ppt "Risk Assessment Standards What You Need To Know NEELY DUNCAN, CPA, CFE, FCPA AUDIT mANAGER June 19, 2008."

Similar presentations

Presented by YOUR NAME THE DATE

Presented by YOUR NAME THE DATE
G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.

G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.
Auditing Concepts.

Auditing Concepts.
Audit Documentation PCAOB Auditing Standard no.3.

Audit Documentation PCAOB Auditing Standard no.3.
New Audit Risk Standards Are You Ready? John P. Langan, CPA Principal in Charge Public Service Group Metro, DC Office LarsonAllen LLP.

New Audit Risk Standards Are You Ready? John P. Langan, CPA Principal in Charge Public Service Group Metro, DC Office LarsonAllen LLP.
Planning the Audit; Linking Audit Procedures to Risk

Planning the Audit; Linking Audit Procedures to Risk
Review of Introduction to Auditing

Review of Introduction to Auditing
Chapter 12 Auditing the Human Resource Management Process McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Chapter 12 Auditing the Human Resource Management Process McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Section 404 Audits of Internal Control and Control Risk

Section 404 Audits of Internal Control and Control Risk
Nature of an Integrated Audit

Nature of an Integrated Audit
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.

Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.
Auditing & Assurance Services, 6e

Auditing & Assurance Services, 6e
Chapter 4 Risk Assessment.

Chapter 4 Risk Assessment.
Presented by: Trevor W. Williams, CPA

Presented by: Trevor W. Williams, CPA
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting

Similar presentations

Ads by Google