SAS Update
GFOA Western Pa – January 2008
Presented by
Rob Lent, CPA, CGFM
Sources
AICPA Auditor’s Risk Assessment Process:
Tackling the New Rick Assessment SASs
GAO presentation to the AICPA Governmental
Audit Quality Center July 11, 2006
Pennsylvania CPA Journal, Winter 2007
Suite of 8, The Risk Assessment
Standards
SAS 104, Amendment to SAS 1, Codification of Auditing Standards and
Procedures
SAS 105, Amendment to SAS 95, Generally Accepted Auditing
Standards
SAS 106, Audit Evidence
SAS 107, Audit Risk and Materiality in Conducting an Audit (Audit
Risk and Materiality)
SAS 108, Planning and Supervision
SAS 109, Understanding the Entity and its Environment and Assessing
the Risks of Material Misstatement
SAS 110, Performing Audit Procedures in Response to Assessed Risks
and Evaluating the Audit Evidence Obtained
SAS 111, Amendment to SAS 39, Audit Sampling
Audit Risk
Inherent Risk
Control Risk
Detection Risk
General Effects of The Risk
Assessment SAS
Expand the quality and depth of the auditor’s
required understanding of the entity and its
environment, including internal control.
Requires the auditor to assess the risks of
material misstatements at the financial
statement level and at the assertion level on all
audits based on the understanding obtained.
General Effects of The Risk
Assessment SAS
Eliminates the “default to maximum” for control risk,
which should encourage testing of controls.
Emphasizes importance of the entity’s risk assessment
process.
Strengthens the linkage between assessed risks and the
auditor’s responses to those risks.
Clarifies the auditor’s ability to rely on audit evidence
gathered in prior audits.
Strengthens guidance for testing disclosures.
General Effects of The Risk
Assessment SAS
Clarifies and expands guidance on evaluating
audit findings.
Expands documentation requirements
 Results of the risk assessments at both the financial
statement level and the assertion level.
 The nature timing and extent of audit procedures
performed.
 The linkage of auditor responses with the assessed
risks at the assertion lever; and
 Results of audit procedures.
Key Areas
•
•
•
•
•
•
•
•
Level of Audit Assurance
Planning and Supervision
Understanding Internal Controls
Audit Risk and Materiality
Understanding the Entity
Performing Audit Procedures
Audit Sampling
Audit Evidence and Evaluation
Level of Audit Assurance
Clarifies the meaning of reasonable assurance.
“the auditor must plan and perform the audit to
obtain sufficient appropriate audit evidence so that
risk will be limited to a low level that is, in his or
her professional judgment, appropriate for
expressing an opinion on the financial statements”
• Absolute assurance is not attainable.
• High level of assurance
Audit Planning
Gain an understanding of the client and their environment.
Performing preliminary analytical review procedures.
Estimating planning materiality and tolerable misstatement.
Identifying significant accounts.
Conducting a fraud specific team meeting.
Assessing the risk of material misstatement arising from fraud
or error at the entity level.
Agreeing on timing and deliverables.
Developing an overall audit strategy.
Planning and Supervision
More partner level involvement
Planning occurs through the audit
Development of an audit strategy
• Broad approach to how the audit will be
conducted
Development of an audit plan
• Describes in detail the nature, timing and
extent of risk assessment and further audit
procedures in response to risk assessment
Should obtain a written understanding
Audit Risk and Materiality
Audit risk and materiality are used to identify
and assess the risk of material misstatement
Eliminates the ability of the auditor to assess
control risk “at the maximum” without having
a basis for that assessment
Materiality should consider both qualitative and
quantitative characteristics
Understanding the Entity
Must obtain a sufficient understanding of the
entity and its environment, including internal
control, to assess the risk of material
misstatement of the financial statements
whether due to error or fraud, and to design
the nature, timing and extent of further audit
procedures
Understanding the Entity
Risk Assessment Procedures
Understanding the Entity and its Environment,
Including Internal Control
Assessing Rick of Material Misstatement
Documentation
Risk Assessment Procedures
• Inquiries of management and others within the
entity.
• Analytical procedures.
• Observation and inspection.
Inquiry alone is not sufficient to evaluate the
design of internal control and to determine
whether it has been implemented.
Risk Assessment Procedures
Analytical Procedures
• Must be established expectations
Observation and Inspection
• Review of contracts
• Observation at the entity
• Transaction walk-throughs
Risk Assessment Procedures
Determine whether changes have occurred that
may affect the relevance of information about
the entity and its environment that was
obtained in prior periods if the auditor intends
to use such information in the current audit.
Risk Assessment Procedures
Initiate a discussion among the members of the
engagement team about the susceptibility of the
entity to material misstatements of the financial
statements.
Understanding the Entity and its
Environment, Including Internal
Control
Obtain an understanding of the entity and its
environment, including internal control.
 Industry, regulatory and other external factors.
 Nature of the entity, including the entity’s application of
accounting policies.
 Objectives and strategies and the related business risks,
including the entity’s risk assessment process.
 Measurement and review of the entity’s financial
performance.
Understanding the Entity and
its Environment, Including
Internal Control
Control environment.
The entity’s risk assessment process.
The information system and related business
processes relevant to financial reporting, and
communication.
Control activities.
Monitoring of controls.
The Control Environment
Tone of an organization.
 Integrity and Ethical Values.
 Competency.
 Governance.
 Experience and knowledge.
 Stature within the entity and business community.
 Genuine interest in internal control.
 Independence of management.
 Active interaction with the external auditors.
The Control Environment
Tone of an organization.
 Philosophy and Operating Style.
 Authority and Responsibility.
 Human Resources.
Risk Assessment Process
The entity’s identification and analysis of relevant risks to
the achievement of its objectives.
Each will have its own unique risks.
External and internal factors.




New accounting systems.
New personnel or employee turnover.
New accounting standards.
A significant and/or unusual transaction or event.
Risk Assessment Process
Reliance by an entity on its external auditor for
this risk assessment is indicative of a material
weakness and causes the auditor to evaluate
audit risk as high.
Information and Communication
Systems
Support the identification, capture and exchange
of information in a form and time frame that
enable employees to carry out their
responsibilities.
Control Activities
Policies and procedures that help ensure that
management directives are carried out.
The entity’s response to either preventing errors
from occurring or detecting and correcting
them if they do occur.
Monitoring
Process that assesses the quality of internal
control performance over time.
Assessing the Risk of Material
Misstatement
Assess the risks of material misstatements at the financial
statement level and at the assertion level for classes of
transactions, account balances and disclosures.
 Identifies risks by considering the entity and its
environment, including relevant controls that relate to the
risks.
 Relates the identified risks to what can go wrong at the
assertion level.
 Considers whether the risks are of a magnitude that could
result in a material misstatement of the financial
statements.
 Considers the likelihood that risks could result in a
material misstatement in the financial statements.
Documentation
The discussion among the audit team.
The understanding of aspects of the entity and its
environment, including the components of internal
control; the sources from with the understanding was
obtained; and the risk assessment procedures.
The significant risks and the risks for which substantive
procedures alone are not sufficient and the controls
related to those risks that were evaluated.
The results of the risk assessment at both the financial
statement level and at the assertion level and the basis
for the assessment.
Performing Audit Procedures
Overall Responses
Audit Procedures Responsive to Risks of Material
Misstatement at the Relevant Assertion Level
Sufficiency and Appropriateness of the Audit
Evidence Obtained
Documentation
Performing Audit Procedures
Perform test of controls to obtain audit evidence about
their operating effectiveness when the auditor’s
assessment of risks of material misstatements at the
assertion level is based on an expectation that controls
are operating effectively.
Perform tests of controls to obtain evidence about their
operating effectiveness when the auditor has
determined that it is not possible or practicable to
reduce the risk of material misstatement at the
assertion level to an appropriately low level with audit
evidence obtained only from substantive procedures.
Performing Audit Procedures
Determine what additional audit evidence should be
obtained for the remaining period when the auditor
obtains audit evidence about the operating effectiveness
of controls during an interim period.
Obtain audit evidence through a combination of inquiry,
observation, and inspection about whether changes in
specific controls have occurred since evidence about
their operating effectiveness was obtained in a previous
audit if the auditor plans to use that evidence in the
current audit.
Performing Audit Procedures
Obtain audit evidence about whether changes in specific
controls have occurred since evidence about their
operating effectiveness was obtained in a previous audit
if the auditor plans to use that evidence in the current
audit.
 If such controls have changed since they were last tested,
test their operating effectiveness in the current audit.
 If such controls have not changed since they were last tested,
test their operating effectiveness at least every third audit.
Performing Audit Procedures
Plan and perform substantive procedures for each
material class of transactions, account balance and
disclosure irrespective of the assessed risk.
Perform substantive procedures, consisting of tests of
details alone or tests of details combined with
substantive analytical procedures that are specifically
responsive to significant risks.
Performing Audit Procedures
Test during each audit the operating effectiveness
of some controls where there are a number of
controls for which the auditor determines that
it is appropriate to use audit evidence obtained
in prior audits.
Performing Audit Procedures
If the auditor plans to rely on controls to mitigate a
“significant risk”, obtain all evidence about the
operating effectiveness of such controls from tests of
controls performed in the current audit.
Internal Control
Documentation
Routine Processes.
Non-Routine and Estimation Processes.
 If the entity does not have the necessary resources to
effectively execute estimation and non-routine processes,
then a likely material weakness exists under the new audit
standards.
Internal Control
Documentation
Financial Statement Closing Process.
 Identification and timely analysis and adjustment of
significant accounts which require sensitive estimates and
judgments.
 Recording journal entries.
 Reconciling key accounts to their subsidiary records.
 Agreeing the financial records to the amounts and
disclosures in the financial statements.
 Determining that all required disclosures are made.
Internal Control
Documentation
Financial Statement Closing Process.
 Documentation of accounting policies.
 Support for financial statement disclosures.
 The governing body’s review and approval of the financial
statements.
 If the entity does not have the necessary resources to
effectively apply GAAP to recording the entity’s financial
statements or prepare its financial statements, then a likely
material weakness exists under the new audit standards.
Internal Control
Documentation
Information Technology Processes.
 General controls - policies and procedures that relate to
many applications and support the effective functioning of
application controls by helping to ensure the continued
proper operation on information systems.
 Application controls - apply to the processing of individual
applications.
Overall Responses
Determine the overall responses to address the risks of
material misstatements at the financial statement level.
Audit Procedures Responsive to Risks of
Material Misstatement at Relevant Assertion
Level
Cannot rely on control tests alone for material
matters
Cannot rely on analytics alone for material
matters
Evaluating the Sufficiency and
Appropriateness of Audit Evidence Obtained
Results must be evaluated together
Matter of professional judgment
Documentation
The overall responses to address the assessed risks of
misstatement at the financial statement level.
The nature, timing and extent of the audit procedures.
The linkage of those procedures with the assessed risks at
the assertion level.
The results of audit procedures.
The conclusions reached with regard to the use in the
current audit of audit evidence about the operating
effectiveness of controls that was obtained in a prior
audit.
Audit Sampling
Sample size selected by non-statistical
methodologies must approximate the sample
sizes had statistical methods been used.
Gone are the days when audit teams pulled a
sample size out of the air “based on
professional judgment”
Audit Evidence and
Evaluation
Audit evidence
 All of the information used by the auditor in arriving at
the conclusions on which the audit opinion is based.
Provides additional guidance on the reliability of various
kinds of evidence.
So, Let’s Try It!!
Where do we start??
Internal Control
Documentation
Identifying entity level controls.
Identifying significant accounts, groups of accounts or
classes of transactions.
Identifying significant underlying processes.
Preparing documentation of processes.
Performing walk-throughs.
Asking what could go wrong questions.
Identifying controls to mitigate the potential
misstatements.
Assessing the likelihood that a failure could be material to
the entity’s financial statements.
Relating controls to financial statement assertions.
Entity Level Controls
Control Environment
Risk Assessment
Information and Communication
Control Activities
Monitoring
Control Activities
What could go wrong? Questions.
If key controls are absent then there is at least a
significant deficiency in the internal control design.
Control Activities
Matrix









Financial statement assertion,
“What could go wrong?” questions,
Key controls,
Control type – preventative or detective,
Control activity processed by,
Manual or IT dependent control,
IT general control evaluated,
Control effective and
Control tested
Assertions
Re-categorizes the five assertions into three categories.
 Classes of transactions (5 assertions)
 Occurrence – Transactions and events that have been
recorded have occurred and pertain to the entity.
 Completeness – All transactions and events that have
been recorded have occurred and pertain to the entity.
 Accuracy – Amounts and other data relating to recorded
transactions and events have been appropriately
recorded.
 Cutoff – Transactions and events have been recorded in
the correct accounting period.
 Classification – Transactions and events have been
recorded in the proper accounts.
Assertions
 Account balances (4 assertions)
 Existence – Assets, liabilities, and equity interests exist
 Rights and Obligations – The entity holds or controls the
rights to the assets, and liabilities are the obligation of
the entity.
 Completeness – All assets, liabilities and equity interests
that should have been recorded have been recorded
 Valuation and Allocation – Assets, liabilities and equity
interests are included in the financial statements at
appropriate amounts and any resulting valuation or
allocation adjustments are appropriately recorded.
Assertions
 Presentation and disclosure (4 assertions)
 Occurrence and Rights and Obligations – Disclosed
events and transactions have occurred and pertain
to the entity.
 Completeness – All disclosures that should have
been included in the financial statements have been
included.
 Classification and Understandability – Financial
information is appropriately presented and
described and disclosures are clearly expressed.
 Accuracy and Valuation – Financial and other
information are disclosed fairly and at appropriate
amounts.
Risk Assessment Overview
Inquiries
Brainstorming
New Process
Analytical
Procedures
Fraud Risk Factors
Other
Risk Assessment
Respond
Questions?
Rob Lent, CPA, CGFM
1-412-535-5500
rlent@md-cpas.com