SAS 112 and Auditing Update Recent Auditing Standards’ Impact on the Audited Agenda 1. 1.Internal InternalControl ControlDeficiencies Deficiencies 2. 2.Other OtherNew NewAuditing AuditingStandards Standards 3. 3.Potential PotentialImpact Impacton onAudits Audits SAS Agenda • SAS 112 – Communicating Internal Control • SAS 103 – Audit Documentation • SAS 114 – Communication with Those Charged with Governance • SAS 104 to 111 – Audit Risk Standards Statements on Auditing Standards (SAS) • Issued by the Auditing Standards Board of the AICPA • Apply to all industries, including state and local governments • Deal with the way audits are conducted, not accounting issues SAS 112 Communicating Internal Control Related Matters in an Audit • Effective for audits of December 31, 2006, and beyond • New definitions for internal control weaknesses • New reporting requirements of control deficiencies • Auditors will need to evaluate deficiencies and their impact Auditor’s Responsibility • If during the audit a control deficiency is identified, the auditor must communicate to the entity in writing • Not responsible – To perform procedures to identify deficiencies in internal control over financial reporting – To express an opinion on the effectiveness of the entity’s internal controls over financial reporting Definition • Internal Control over Financial Reporting – a process effected by those charged with governance, management, and other personnel designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations New Definitions • Control deficiency • Significant deficiency • Material weakness Control Deficiency • A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements of the financial statements in a timely manner Significant Deficiency • A significant deficiency is a control deficiency or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected. Material Weakness • A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. More Definitions • FASB Statement #5 provides the basis for the following definitions: – Probable – likely to occur – Reasonably possible – more than remote, but less than likely – Remote – the chance of occurrence is slight – More than inconsequential – describes the magnitude of potential misstatement and serves as a threshold for determining a significant deficiency. Evaluating Control Deficiencies • Evaluate to determine if significant or material weakness. • Significance depends on the potential for misstatement not on whether a misstatement has occurred. • Auditor considers the mitigating effect of compensating controls that limit the severity • Compensating controls do not eliminate control deficiencies. At Least Significant Deficiencies • Deficiencies in the following areas are at least significant deficiencies: – Control over the selection and application of accounting principles – Antifraud programs and controls – Controls over non-routine and nonsystematic transactions – Controls over the year end financial reporting process Strong Indicators of Material Weaknesses • The following are at least significant deficiencies and a strong indicator of a material weakness: – Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance – Restatement (correction of an error) of previously issued financial statements – Identification of fraud of any magnitude on the part of senior management Strong Indicators of Material Weaknesses • The following are at least significant deficiencies and a strong indicator of a material weakness: (Continued) – Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected. – An ineffective control environment. – Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity’s internal control. Factors Auditor Considers • Two factors considered when evaluating control deficiencies: – Likelihood – Magnitude Likelihood • Refers to the probability that a control, or combination of controls, could have failed to prevent or detect a misstatement in the financial statements being audited. • If in the auditor’s judgment, it is reasonably possible that a misstatement could have occurred because of a missing control, than the likelihood is more than remote. Magnitude • Refers to the extent of the misstatement that could have occurred or actually did occur. • The magnitude of the misstatement or potential misstatement may be inconsequential, more than inconsequential, but less than material, or material. Likelihood and Magnitude Magnitude of Misstatement That Occurred or Could have Occurred Quantitatively or qualitatively material Likelihood of Misstatement More than remote Material weakness Remote Control deficiency, but not a significant deficiency or a material weakness More than inconsequential, but less Significant deficiency, than material but not a material weakness Control deficiency, but not a significant deficiency or a material weakness Inconsequential (i.e. clearly immaterial) Control deficiency, but not a significant deficiency or a material weakness Control deficiency, but not a significant deficiency or a material weakness Prudent Official Test • In evaluating the significance of a deficiency, the last step in the auditor’s evaluation is to conclude whether a prudent official having knowledge of the same facts and circumstances would agree with the classification of the deficiency. Communicating • Control deficiencies considered significant deficiencies or material weaknesses must be communicated in writing to management and those charged with governance, including previous comments that have not been resolved. (The auditor’s responsibility to communicate significant deficiencies and material weaknesses exists regardless of management’s decisions.) Communicating • The written communication is best made by the report (auditor’s opinion on the financial statements) release date, but should be made no later than 60 days following the opinion date. • The auditor should not issue a written communication stating that no significant deficiencies were identified during the audit, because of the potential for misinterpretation. Management’s Responses • Management may want to include their responses to the auditor’s communication containing significant deficiencies and/or material weaknesses. – OSA has had as a standard option • If responses included, auditor will add a paragraph disclaiming an opinion on the responses. Auditor’s Communication • The written communication should include: – Purpose of the audit is to express an opinion on the financial statements and not to opine on the effectiveness of internal control over financial reporting – State that the auditor is not expressing an opinion on internal control – Define the terms significant deficiency and material weakness – Identify which matters are significant deficiencies and which are material weaknesses – Indicate the restricted use of the document by management and those charged with governance SAS 112 Issues • Only the entity’s management or personnel can correct control deficiencies • External auditors cannot be part of the internal control over financial reporting – Lose independence – GAO—next project is revising independence Q&A, especially question of whether preparation of financial statements by the auditor impairs the auditor’s independence. • Even if the auditor communicated significant deficiencies and material weaknesses in previous years, as long as those deficiencies continue to exist, the auditor must continue to communicate them SAS 112 Issues • Those charged with governance may need to obtain training on understanding financial statements – State Auditor’s Office will be offering training • May need to consider hiring a firm to prepare financial statements • Auditor may still issue unqualified (clean) opinion even if material weaknesses in internal control exist. • Could impact the amount of testing required for the Single Audit – Likelihood for more reported deficiencies means fewer entities will be low risk auditees – SAS 112 has been incorporated into both Government Auditing Standards and OMB A-133 Additional Information • What is “SAS 112”? • OSA Website – www.auditor.state.mn.us • “Educational Materials” SAS 103 –Audit Documentation • Currently effective • Various requirements related to documentation – Sufficiently detailed – What should be documented – Oral explanations not sufficient • Auditor’s Report (Opinion date) – Eliminates end of fieldwork – New date is when auditor has obtained sufficient appropriate evidence to support opinion • Implications regarding timing of letters from auditee Sufficient Audit Evidence • Audit documentation should be reviewed • Final statements, including notes and management’s discussion and analysis (MD&A) have been prepared • Management has taken responsibility for financial statements – Management representation letter Implications to Auditee • Shortens the time frame between opinion date and release date – Release date is when report is sent • Puts some time constraints on final procedures – Client rep letter should be dated the same date as opinion – Attorney letters may require updating – Shorter amount of time to submit responses to findings • May require additional procedures for subsequent events SAS 114 – The Auditor’s Communication with Those Charged with Governance • Effective for audits of December 31, 2007, and beyond • Defines those charged with governance and management • Communications between auditor and auditee during the conduct of the audit • Follow up to SAS 112 Definitions • Those with the Power of Governance – the persons with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting process. • Management – the persons responsible for achieving the objectives of the entity and who have the authority to establish policies and make decisions by which those objectives are to be pursued. Management is responsible for the financial statements, including designing, implementing, and maintaining effective internal control over financial reporting. Auditor’s Responsibility • Need to identify those charged with governance; could be a subgroup such as an audit committee • If not clearly identified, agreement must be reached • Identify the matters to be communicated • Evaluate the effectiveness of communication Purpose of Communication • Communicate the responsibilities of the auditor in relation to the financial statement audit (an overview of the scope and timing of the audit) • Obtain from those charged with governance information relevant to the audit • Provide timely observations arising from the audit that are relevant to their responsibility in overseeing the financial reporting process (significant findings from the audit) • Communications regarding significant findings are generally in writing. Matters Communicated • How the auditor proposes to address significant risks due to fraud or error • The auditor’s approach relating to internal control • The concept of materiality • The extent of reliance on an internal audit effort SAS 114 Issue • Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance is an indicator of a control deficiency that should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control. – Audit communication process is part of the oversight SAS 114 Issue • If auditor believes the two-way communication is inadequate, he/she should consider: – Modifying the auditor’s opinion on the basis of a scope limitation – Obtaining legal advice about the consequences of different courses of action – Withdrawing from the engagement Risk-Based Set of Audit Standards SAS 109 SAS 110 SAS 111 Risk Assessment Standards SAS 106 SAS 104 SAS 105 SAS 108 SAS 107 SAS 104-108 • SAS 104 – Amendment to Statement on Auditing Standards No.1, Codification of Auditing Standards and Procedures (“Due Professional Care in Performance of Work”) • SAS 105 – Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards • SAS 106 – Audit Evidence • SAS 107 – Audit Risk and Materiality in Conducting an Audit • SAS 108 – Planning and Supervision SAS 109-111 • SAS 109 – Understanding the Entity and its Environment and Assessing the Risks of Material Misstatements • SAS 110 – Performing Audit Procedures in Response to Assessed Risks in Evaluating the Audit Evidence Obtained • SAS 111 – Amendment to Statement of Auditing Standards No. 39 Audit Sampling Objectives of Standards • More in-depth understanding of the entity and its environment, including its internal control, to identify the risks of material misstatement in the financial statements and what the entity is doing to mitigate them • More rigorous assessment of the risks of material misstatement of the financial statements based on that understanding • Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks Implications to Auditees • Could impact level and type of audit procedures required – However, may balance out • Riskier areas more coverage vs. less risky areas receiving less coverage • OSA has starting implementing some requirements in 2006 audits Effective Years for Audits of 2006 2006 Financials Financials SAS 103 SAS 112 SAS 113 ¶ 1-6 2007 2007 Financials Financials SAS 104111 SAS 114 SAS 113 ¶ 7-14 2008 2008 Financials Financials Nothing Yet, but give it time Summary of New Audit Standards • SAS 103 – New documentation requirements – New report date may impose time constraints • SAS 112 – New definitions on control deficiencies – Increased likelihood of reported items – Required communication in writing • SAS 114 – Defines those charged with governance and management – Defines the audit communication process • SASs 104-111 – Define the audit process – Risk effects that nature, timing and extent of procedures – Expectations are that riskier audit environment requires additional procedures • SAS 113 – Omnibus 2006 – Cleans up other audit standards because of the language and changes of above new standards Contact Information • Greg Hierlinger – Greg.Hierlinger@state.mn.us – (651) 296-7003 • David Kenney – David.Kenney@state.mn.us – (651) 297-3671