1
RISK ASSESSMENT STANDARDS
WHAT YOU NEED TO KNOW
NEELY DUNCAN, CPA, CFE, FCPA
AUDIT MANAGER
 June 19, 2008
Introduction
2
 Welcome
 Agenda

Risk assessment standards

Impact on your audit

Benefits to your organization

Requirements

Internal control deficiencies

What can you do to help (and keep audit costs down)
Lane Gorman Trubitt, L.L.P.
6/19/08
Risk Assessment Standards
3
 Auditing profession continually reviews practices and makes necessary
improvements.
 Goal is to maintain and enhance the quality of independent audits and
achieve international convergence
 Post Enron and Sarbanes-Oxley - Higher expectations of auditors
 Require sweeping changes in our audit process.
 Will result in increased effort by both your company and your auditors.
 Effective for audits of financial statements for periods beginning on or after
December 15, 2006.
Lane Gorman Trubitt, L.L.P.
6/19/08
What is Risk Assessment?
4
 More focused audit approach.
 Considers at a detailed level what can go wrong in your accounting
records and in the preparation of your financial statements.
 Identifies areas where material errors or fraud are
more likely to occur.
 Concentrates audit effort in those areas.
 Depends on the depth of our understanding of your company,
industry, and internal controls.
Lane Gorman Trubitt, L.L.P.
6/19/08
Risk Assessment Standards
5
SAS 104 Amendment to Statement on Auditing Standards No. 1, Codification of
Auditing Standards & Procedures
SAS 105 Amendment to Statement on Auditing Standards No. 95, Generally
Accepted Auditing Standards
SAS 106 Audit Evidence
SAS 107 Audit Risk & Materiality in Conducting an Audit
SAS 108 Planning & Supervision
SAS 109 Understanding the Entity and Its Environment & Assessing the Risks of
Material Misstatement
SAS 110 Performing Audit Procedures in Response to Assessed Risks &
Evaluating the Audit Evidence Obtained
SAS 111 Amendment to Statement on Auditing Standards No. 39, Audit
Sampling
SAS 114 The Auditor’s Communication With Those Charged With Governance
Lane Gorman Trubitt, L.L.P.
6/19/08
Risk Assessment Standards
6
The objectives of the SASs are to improve audit effectiveness
by requiring:
 A more in-depth understanding of the entity and its
environment, including its internal control.
 More rigorous assessment of the risks of material misstatement
(whether caused by error or fraud) of the financial statements.
 A linkage between the assessed risks and the nature, timing, and
extent of audit procedures performed in response to those risks.
Lane Gorman Trubitt, L.L.P.
6/19/08
Impact to 2007 audits
7
 Planning and supervision








Signed engagement letter before planning starts.
Approved communication from Audit Committee.
Requires more time from managers.
Knowledge of business and internal control assessment will add substantially
more time.
Inquiry regarding internal control not enough – need to verify by doing
walkthroughs of all major cycles.
Required to assess key IT controls, security & changes – may need IT
specialist.
Obtain Type II SAS 70 reports for significant outsourced services – for instance,
payroll, claims processing, etc.
Three planning meetings will be necessary for your auditors.
 Determine what info to gather and how – walkthroughs, etc.
 Perform risk assessment including fraud brainstorming
 Responses to risks – develop audit plan and tailor programs
Lane Gorman Trubitt, L.L.P.
6/19/08
Impact to 2007 audits (cont)
8
 Risk assessment

Risk based audit approach required – not a philosophical change for us.

No longer can assess control risk at maximum and do no work on controls.

Risk assessment much more detailed than we used in the past.


Risk by assertions to transaction cycle, accounts and disclosures

Documentation increased

Linkage to audit assertions, procedures, workpapers and conclusions
Will require more time from audit team management.
Lane Gorman Trubitt, L.L.P.
6/19/08
Impact to 2007 audits (cont)
9
 Other matters



Many more management letter comments. Some clients will
view this as adding value while others will view this as a
problem.
2006 saw that all clients had at least one material weakness –
they don’t prepare their F/S, we do. This will be reported
every year, unless the client can take responsibility for them.
Bottom line estimated impact to fees:


Industry says 15-40%
Our estimate 10-15%
Lane Gorman Trubitt, L.L.P.
6/19/08
What are the Benefits to You?
10
 A more thorough, effective, and focused audit.
 We will be better able to—
 Provide useful information
 Identify problems or opportunities and make
recommendations
 Assist with special projects
 Recommended improvements can help you avoid
unexpected losses or expenses.
 Better overall internal control.
Lane Gorman Trubitt, L.L.P.
6/19/08
What are the Requirements?
11
 Obtain a more in-depth understanding of




your company and its operating
environment, including internal controls.
Identify the specific risks of material errors
or fraud occurring and remaining
undetected by you, along with the actions
you are taking to mitigate those risks.
Perform a rigorous assessment of the risks
of material misstatement of your financial
statements based on that understanding.
Link that risk assessment with the resulting
audit procedures.
Meet new documentation requirements.
Obtain Understanding
Identify Risks
Perform Risk
Assessment
Link Risk Assessment
to Audit Procedures
Meet New
Documentation
Requirements
Lane Gorman Trubitt, L.L.P.
6/19/08
In-depth Understanding Of Company
12
 Auditors are required to gather
information to gain an in-depth
understanding of the company and its
environment.

Obtain Understanding
Includes the following aspects:
 External factors
 Nature of the client
 Objectives and strategies and related business risks
 Measurement and review of the company’s financial
performance
 Internal control
Lane Gorman Trubitt, L.L.P.
6/19/08
Identify Risks of Material Misstatements
13

Based on the auditor’s understanding
of the design and implementation of
the company’s controls, identify those
areas where material errors or fraud
could occur.
Identify Risks
 Consider:


Significance of transactions, account balances, and
disclosures to the financial statements
Effectively designed controls that are in place
Lane Gorman Trubitt, L.L.P.
6/19/08
Perform Risk Assessment
14
 Required to assess the risk of
material misstatement at:


Financial statement level – pervasive to
financial statements as a whole and
potentially affect many relevant
assertions
Perform Risk
Assessment
Relevant assertion level – relate to
specific classes of transactions, account
balances, and disclosures at the
assertion level
Lane Gorman Trubitt, L.L.P.
6/19/08
Perform Risk Assessment (continued)
15
 Financial statement level risks should be related
back to specific assertions.
 Examples of financial statement level risks –

Overall weak control environment

Lack of qualified personnel in financial
Perform Risk
Assessment
reporting roles

Management's process for making significant
accounting estimates
Lane Gorman Trubitt, L.L.P.
6/19/08
Perform Risk Assessment (continued)
16
 Examples of relevant assertion level risks –

Existence of accounts receivable

Occurrence of sales

Valuation of inventory

Presentation and disclosure of debt
Perform Risk
Assessment
covenant compliance
Lane Gorman Trubitt, L.L.P.
6/19/08
Assertions
17
 What are assertions?
 Management’s implicit or explicit representations regarding
the recognition, measurement, presentation and disclosure of
information in the financial statements
 Our audit approach is generally directed at specific
assertions in order to properly link the assessed risks to our
audit procedures.
Lane Gorman Trubitt, L.L.P.
6/19/08
Link Risk Assessment to Audit Procedures
18
 Assessment of risk of material misstatement
(at both the financial statement and
assertion level) should be directly linked to
the design and performance of audit
procedures.
 Audit programs and checklists must be
tailored to reflect this linkage.
Link Risk Assessment
to Audit Procedures
 Examples –
 Significant accruals that are subject to complex
estimation
 Inventory quantities that are difficult to count
could be misstated
Lane Gorman Trubitt, L.L.P.
6/19/08
New Documentation Requirements
19
 Auditors must have and document an appropriate basis for
the audit approach.
 This requirement eliminates the ability to assess control
risk “at the maximum” without having a basis for the
assessment (aka “default to max”).
 “Default to max” – means placing no reliance on a
company’s internal control and performing primarily
detailed, substantive testing.
 Typically, “defaulting to max” was considered to be more
efficient for companies with a limited control environment.
Meet New
Documentation
Requirements
Lane Gorman Trubitt, L.L.P.
6/19/08
New Documentation Requirements (cont.)
20
 Audit documentation must be prepared in sufficient
detail to enable an experienced auditor, having no
previous connection to the audit, to understand:
 The nature, timing and extent of auditing procedures
 The results of the audit procedures performed and the
audit evidence obtained
 The conclusions reached on significant matters; and
 That the accounting records agree or reconcile with the
audited financial statements or other audited information
Meet New
Documentation
Requirements
Lane Gorman Trubitt, L.L.P.
6/19/08
Internal Control Deficiencies
21
 Internal Control Deficiencies fall into three categories
under SAS 112:

Control Deficiency - A control deficiency exists when the design or operation of a control does
not allow management or employees, in the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis. Can be communicated by the auditors
verbally.

Significant Deficiency - A significant deficiency is a control deficiency, or combination of
control deficiencies, that adversely affects the company’s ability to initiate, authorize, record,
process, or report external financial data reliably in accordance with generally accepted accounting
principles such that there is more than a remote likelihood that a misstatement of the company’s
annual or interim financial statements that is more than inconsequential will not be prevented or
detected. Must be communicated by the auditors in writing.

Material Weakness - A material weakness is a significant deficiency, or a combination of
significant deficiencies, that results in more than a remote likelihood that a material misstatement
of the annual or interim financial statements will not be prevented or detected. Must be
communicated by the auditors in writing.
Lane Gorman Trubitt, L.L.P.
6/19/08
Objectives – Internal Control
22
 What is internal control?
 Who is involved in internal control?
 How to improve internal control
Lane Gorman Trubitt, L.L.P.
6/19/08
What is Internal Control?
23
 Establish effective control environment
 Identify “what can go wrong?” (risk assessment)
 Implement controls to manage risk (control activities)
 Implement reliable information system & communicate
 Monitor control performance
Lane Gorman Trubitt, L.L.P.
6/19/08
What is Internal Control? (continued)
24
 Entity level controls – Controls that affect the entire
organization.





“Tone at the Top”
What can go wrong; anti-fraud programs
Assignment of authority
Distribution of financial information; IT general controls
Accountability by departments/functions
 Activity level controls – Controls that capture, process,
communicate information.
 Transaction cycle controls
 Segregation of duties
Lane Gorman Trubitt, L.L.P.
6/19/08
Entity-Level Controls
Control Environment

Risk Assessment

Control Activities


Information &
Communication
Monitoring



Attitudes, awareness, actions
of Owners/Management
(those charged with
“governance”)
How Owners/Management
consider risks and take actions
to address them
Anti-fraud controls
IT general controls
Capture events that affect
reporting
Communicate reporting
roles/responsibilities
High-level activities that
monitor controls/ overall
accountability
25
Lane Gorman Trubitt, L.L.P.
6/19/08
Entity-Level Controls (continued)
26
What about Smaller Entities?
 Smaller entities may use less formal means and
processes to achieve their control objectives.
 Therefore certain components of internal control may
not be clearly distinguished, but the underlying
purpose is equally valid.
Lane Gorman Trubitt, L.L.P.
6/19/08
Who is Involved with Internal Control?
27
 Management has primary responsibility.
 Not just for the accounting department.
 Consider all aspects of the company that impact
internal controls
 Examples:
 Hiring, Training, Promoting
 Operations
 Sales
Lane Gorman Trubitt, L.L.P.
6/19/08
Activity Level Controls
 Classes of Transactions
 Account Balances
 Disclosures
Information

Control Activities



Procedures to initiate, record,
process and report transactions
Policies and procedures related
to assertions
IT application controls
Segregation of duties, safeguard
assets, reconciliations
28
Lane Gorman Trubitt, L.L.P.
6/19/08
How to Improve Internal Control
29
 Ask “what can go wrong?”
 Design controls to mitigate the risk.
 Monitor control performance.
 Set an appropriate tone at the top.
 Exercise oversight of the financial reporting process.
 Consider control recommendations identified by auditors.
Lane Gorman Trubitt, L.L.P.
6/19/08
What Can You Do to Help?
30
 Document your key controls and perform your own risk assessment.
 Respond promptly to inquiries and document requests.
 Expect and prepare your staff for walkthroughs.
 Communicate your questions or concerns.
 Look at this as an opportunity to improve controls not another
“hoop to jump through”.
Lane Gorman Trubitt, L.L.P.
6/19/08