Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAS Update GFOA Western Pa – January 2008 Presented by Rob Lent, CPA, CGFM.

Similar presentations


Presentation on theme: "SAS Update GFOA Western Pa – January 2008 Presented by Rob Lent, CPA, CGFM."— Presentation transcript:

1

2 SAS Update GFOA Western Pa – January 2008 Presented by Rob Lent, CPA, CGFM

3 Sources AICPA Auditor’s Risk Assessment Process: Tackling the New Rick Assessment SASs GAO presentation to the AICPA Governmental Audit Quality Center July 11, 2006 Pennsylvania CPA Journal, Winter 2007

4 Suite of 8, The Risk Assessment Standards SAS 104, Amendment to SAS 1, Codification of Auditing Standards and Procedures SAS 105, Amendment to SAS 95, Generally Accepted Auditing Standards SAS 106, Audit Evidence SAS 107, Audit Risk and Materiality in Conducting an Audit (Audit Risk and Materiality) SAS 108, Planning and Supervision SAS 109, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS 111, Amendment to SAS 39, Audit Sampling

5 Audit Risk Inherent Risk Control Risk Detection Risk

6 General Effects of The Risk Assessment SAS Expand the quality and depth of the auditor’s required understanding of the entity and its environment, including internal control. Requires the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtained.

7 General Effects of The Risk Assessment SAS Eliminates the “default to maximum” for control risk, which should encourage testing of controls. Emphasizes importance of the entity’s risk assessment process. Strengthens the linkage between assessed risks and the auditor’s responses to those risks. Clarifies the auditor’s ability to rely on audit evidence gathered in prior audits. Strengthens guidance for testing disclosures.

8 General Effects of The Risk Assessment SAS Clarifies and expands guidance on evaluating audit findings. Expands documentation requirements  Results of the risk assessments at both the financial statement level and the assertion level.  The nature timing and extent of audit procedures performed.  The linkage of auditor responses with the assessed risks at the assertion lever; and  Results of audit procedures.

9 Key Areas Level of Audit Assurance Planning and Supervision Understanding Internal Controls Audit Risk and Materiality Understanding the Entity Performing Audit Procedures Audit Sampling Audit Evidence and Evaluation

10 Level of Audit Assurance Clarifies the meaning of reasonable assurance. “the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements” Absolute assurance is not attainable. High level of assurance

11 Audit Planning Gain an understanding of the client and their environment. Performing preliminary analytical review procedures. Estimating planning materiality and tolerable misstatement. Identifying significant accounts. Conducting a fraud specific team meeting. Assessing the risk of material misstatement arising from fraud or error at the entity level. Agreeing on timing and deliverables. Developing an overall audit strategy.

12 Planning and Supervision More partner level involvement Planning occurs through the audit Development of an audit strategy Broad approach to how the audit will be conducted Development of an audit plan Describes in detail the nature, timing and extent of risk assessment and further audit procedures in response to risk assessment Should obtain a written understanding

13 Audit Risk and Materiality Audit risk and materiality are used to identify and assess the risk of material misstatement Eliminates the ability of the auditor to assess control risk “at the maximum” without having a basis for that assessment Materiality should consider both qualitative and quantitative characteristics

14 Understanding the Entity Must obtain a sufficient understanding of the entity and its environment, including internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing and extent of further audit procedures

15 Understanding the Entity Risk Assessment Procedures Understanding the Entity and its Environment, Including Internal Control Assessing Rick of Material Misstatement Documentation

16 Risk Assessment Procedures Inquiries of management and others within the entity. Analytical procedures. Observation and inspection. Inquiry alone is not sufficient to evaluate the design of internal control and to determine whether it has been implemented.

17 Risk Assessment Procedures Analytical Procedures Must be established expectations Observation and Inspection Review of contracts Observation at the entity Transaction walk-throughs

18 Risk Assessment Procedures Determine whether changes have occurred that may affect the relevance of information about the entity and its environment that was obtained in prior periods if the auditor intends to use such information in the current audit.

19 Risk Assessment Procedures Initiate a discussion among the members of the engagement team about the susceptibility of the entity to material misstatements of the financial statements.

20 Understanding the Entity and its Environment, Including Internal Control Obtain an understanding of the entity and its environment, including internal control.  Industry, regulatory and other external factors.  Nature of the entity, including the entity’s application of accounting policies.  Objectives and strategies and the related business risks, including the entity’s risk assessment process.  Measurement and review of the entity’s financial performance.

21 Understanding the Entity and its Environment, Including Internal Control Control environment. The entity’s risk assessment process. The information system and related business processes relevant to financial reporting, and communication. Control activities. Monitoring of controls.

22 The Control Environment Tone of an organization.  Integrity and Ethical Values.  Competency.  Governance.  Experience and knowledge.  Stature within the entity and business community.  Genuine interest in internal control.  Independence of management.  Active interaction with the external auditors.

23 The Control Environment Tone of an organization.  Philosophy and Operating Style.  Authority and Responsibility.  Human Resources.

24 Risk Assessment Process The entity’s identification and analysis of relevant risks to the achievement of its objectives. Each will have its own unique risks. External and internal factors.  New accounting systems.  New personnel or employee turnover.  New accounting standards.  A significant and/or unusual transaction or event.

25 Risk Assessment Process Reliance by an entity on its external auditor for this risk assessment is indicative of a material weakness and causes the auditor to evaluate audit risk as high.

26 Information and Communication Systems Support the identification, capture and exchange of information in a form and time frame that enable employees to carry out their responsibilities.

27 Control Activities Policies and procedures that help ensure that management directives are carried out. The entity’s response to either preventing errors from occurring or detecting and correcting them if they do occur.

28 Monitoring Process that assesses the quality of internal control performance over time.

29 Assessing the Risk of Material Misstatement Assess the risks of material misstatements at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures.  Identifies risks by considering the entity and its environment, including relevant controls that relate to the risks.  Relates the identified risks to what can go wrong at the assertion level.  Considers whether the risks are of a magnitude that could result in a material misstatement of the financial statements.  Considers the likelihood that risks could result in a material misstatement in the financial statements.

30 Documentation The discussion among the audit team. The understanding of aspects of the entity and its environment, including the components of internal control; the sources from with the understanding was obtained; and the risk assessment procedures. The significant risks and the risks for which substantive procedures alone are not sufficient and the controls related to those risks that were evaluated. The results of the risk assessment at both the financial statement level and at the assertion level and the basis for the assessment.

31 Performing Audit Procedures Overall Responses Audit Procedures Responsive to Risks of Material Misstatement at the Relevant Assertion Level Sufficiency and Appropriateness of the Audit Evidence Obtained Documentation

32 Performing Audit Procedures Perform test of controls to obtain audit evidence about their operating effectiveness when the auditor’s assessment of risks of material misstatements at the assertion level is based on an expectation that controls are operating effectively. Perform tests of controls to obtain evidence about their operating effectiveness when the auditor has determined that it is not possible or practicable to reduce the risk of material misstatement at the assertion level to an appropriately low level with audit evidence obtained only from substantive procedures.

33 Performing Audit Procedures Determine what additional audit evidence should be obtained for the remaining period when the auditor obtains audit evidence about the operating effectiveness of controls during an interim period. Obtain audit evidence through a combination of inquiry, observation, and inspection about whether changes in specific controls have occurred since evidence about their operating effectiveness was obtained in a previous audit if the auditor plans to use that evidence in the current audit.

34 Performing Audit Procedures Obtain audit evidence about whether changes in specific controls have occurred since evidence about their operating effectiveness was obtained in a previous audit if the auditor plans to use that evidence in the current audit.  If such controls have changed since they were last tested, test their operating effectiveness in the current audit.  If such controls have not changed since they were last tested, test their operating effectiveness at least every third audit.

35 Performing Audit Procedures Plan and perform substantive procedures for each material class of transactions, account balance and disclosure irrespective of the assessed risk. Perform substantive procedures, consisting of tests of details alone or tests of details combined with substantive analytical procedures that are specifically responsive to significant risks.

36 Performing Audit Procedures Test during each audit the operating effectiveness of some controls where there are a number of controls for which the auditor determines that it is appropriate to use audit evidence obtained in prior audits.

37 Performing Audit Procedures If the auditor plans to rely on controls to mitigate a “significant risk”, obtain all evidence about the operating effectiveness of such controls from tests of controls performed in the current audit.

38 Internal Control Documentation Routine Processes. Non-Routine and Estimation Processes.  If the entity does not have the necessary resources to effectively execute estimation and non-routine processes, then a likely material weakness exists under the new audit standards.

39 Internal Control Documentation Financial Statement Closing Process.  Identification and timely analysis and adjustment of significant accounts which require sensitive estimates and judgments.  Recording journal entries.  Reconciling key accounts to their subsidiary records.  Agreeing the financial records to the amounts and disclosures in the financial statements.  Determining that all required disclosures are made.

40 Internal Control Documentation Financial Statement Closing Process.  Documentation of accounting policies.  Support for financial statement disclosures.  The governing body’s review and approval of the financial statements.  If the entity does not have the necessary resources to effectively apply GAAP to recording the entity’s financial statements or prepare its financial statements, then a likely material weakness exists under the new audit standards.

41 Internal Control Documentation Information Technology Processes.  General controls - policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation on information systems.  Application controls - apply to the processing of individual applications.

42 Overall Responses Determine the overall responses to address the risks of material misstatements at the financial statement level.

43 Audit Procedures Responsive to Risks of Material Misstatement at Relevant Assertion Level Cannot rely on control tests alone for material matters Cannot rely on analytics alone for material matters

44 Evaluating the Sufficiency and Appropriateness of Audit Evidence Obtained Results must be evaluated together Matter of professional judgment

45 Documentation The overall responses to address the assessed risks of misstatement at the financial statement level. The nature, timing and extent of the audit procedures. The linkage of those procedures with the assessed risks at the assertion level. The results of audit procedures. The conclusions reached with regard to the use in the current audit of audit evidence about the operating effectiveness of controls that was obtained in a prior audit.

46 Audit Sampling Sample size selected by non-statistical methodologies must approximate the sample sizes had statistical methods been used. Gone are the days when audit teams pulled a sample size out of the air “based on professional judgment”

47 Audit Evidence and Evaluation Audit evidence  All of the information used by the auditor in arriving at the conclusions on which the audit opinion is based. Provides additional guidance on the reliability of various kinds of evidence.

48 So, Let’s Try It!! Where do we start??

49 Internal Control Documentation Identifying entity level controls. Identifying significant accounts, groups of accounts or classes of transactions. Identifying significant underlying processes. Preparing documentation of processes. Performing walk-throughs. Asking what could go wrong questions. Identifying controls to mitigate the potential misstatements. Assessing the likelihood that a failure could be material to the entity’s financial statements. Relating controls to financial statement assertions.

50 Entity Level Controls Control Environment Risk Assessment Information and Communication Control Activities Monitoring

51 Control Activities What could go wrong? Questions. If key controls are absent then there is at least a significant deficiency in the internal control design.

52 Control Activities Matrix  Financial statement assertion,  “What could go wrong?” questions,  Key controls,  Control type – preventative or detective,  Control activity processed by,  Manual or IT dependent control,  IT general control evaluated,  Control effective and  Control tested

53 Assertions Re-categorizes the five assertions into three categories.  Classes of transactions (5 assertions)  Occurrence – Transactions and events that have been recorded have occurred and pertain to the entity.  Completeness – All transactions and events that have been recorded have occurred and pertain to the entity.  Accuracy – Amounts and other data relating to recorded transactions and events have been appropriately recorded.  Cutoff – Transactions and events have been recorded in the correct accounting period.  Classification – Transactions and events have been recorded in the proper accounts.

54 Assertions  Account balances (4 assertions)  Existence – Assets, liabilities, and equity interests exist  Rights and Obligations – The entity holds or controls the rights to the assets, and liabilities are the obligation of the entity.  Completeness – All assets, liabilities and equity interests that should have been recorded have been recorded  Valuation and Allocation – Assets, liabilities and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded.

55 Assertions  Presentation and disclosure (4 assertions)  Occurrence and Rights and Obligations – Disclosed events and transactions have occurred and pertain to the entity.  Completeness – All disclosures that should have been included in the financial statements have been included.  Classification and Understandability – Financial information is appropriately presented and described and disclosures are clearly expressed.  Accuracy and Valuation – Financial and other information are disclosed fairly and at appropriate amounts.

56 Risk Assessment Overview Fraud Risk Factors Respond Risk Assessment New Process Brainstorming Inquiries Analytical Procedures Other

57 Questions? Rob Lent, CPA, CGFM 1-412-535-5500 rlent@md-cpas.com


Download ppt "SAS Update GFOA Western Pa – January 2008 Presented by Rob Lent, CPA, CGFM."

Similar presentations


Ads by Google