SAS 104-111 Teleconference Jan. 15, 2009 Craig Funkhouser, Crowe Horwath LLP craig.funkhouser@crowehorwath.com Ken Goldmann, J.H. Cohn kgoldmann@jhcohn.com 1 Today’s Program Historical Background, Review Of Key Terms Of SAS 104-111: Craig Funkhouser, Slides 3 Through 31 Lessons For Companies: Ken Goldmann, Slides 32 Through 51 Early Experiences From Implementation Of SAS 104-111: Craig Funkhouser, Slides 52 Through 72 A Look Forward: Craig Funkhouser And Ken Goldmann, Slides 73 Through 83 2 Historical Background, Review Of Key Terms Of SAS 104-111 3 How Did We Get Here? ● ● ● ● ● ● ● ● ● Bad publicity beginning with Enron: 2001 Congress passes the Sarbanes-Oxley Act of 2002 AICPA issues SAS No. 99, Consideration of Fraud in a Financial Statement Audit, effective in 2003 PCAOB issues Audit Standard No. 2, Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, in 2004 AICPA issues SAS No. 103, December 2005 AICPA issues SAS Nos. 104 through 111, March 2006 AICPA issues SAS No. 112, May 2006 AICPA issues SAS No. 114, December 2006 PCAOB issues Audit Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, 2007 4 AICPA Risk Assessment Standards ● Eight new auditing standards Enhance auditor performance Improve audit effectiveness Encourage auditors to focus on areas where the risk of misstatement is the greatest ● Effective for audits of financial statements for periods beginning on or after Dec. 15, 2006 ● SAS 103 and SAS 112 were effective for periods ending on or after Dec. 15, 2006 and are NOT considered part of the risk assessment standards ● SAS 114 – The auditor’s communication with those charged with governance is effective for periods beginning on or after Dec. 15, 2006 and is NOT considered part of the risk assessment standards 5 SAS Nos. 103, 112 And 114 ● ● ● SAS No. 103, Audit Documentation Effective for periods ending after Dec. 15, 2006 Changes documentation standards, supersedes SAS No. 96 Changes how auditors date their audit reports SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit Effective for periods ending after Dec. 15, 2006 Changes the classification of control deficiencies Changes how auditors assess severity of deficiencies Changes communication requirements SAS No. 114, The Auditor’s Communication with Those Charged with Governance Effective for periods beginning after Dec. 15, 2006 Changes “required communications,” supersedes SAS No. 61 Not only for companies who maintain an audit committee 6 Overview Of Risk Assessment Standards ● ● ● ● ● ● ● ● Statement on Auditing Standards (SAS) No. 104 – Amendment to SAS No. 1, Codification of Auditing Standards and Procedures SAS No. 105 – Amendment to SAS No. 95, Generally Accepted Auditing Standards SAS No. 106 – Audit Evidence SAS No. 107 – Audit Risk and Materiality in Conducting an Audit SAS No. 108 – Planning and Supervision SAS No. 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS No. 110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS No. 111 – Amendment to SAS No. 39, Audit Sampling 7 Overview Of Risk Assessment Standards (Cont.) These statements establish standards and provide guidance concerning: • The auditor’s assessment of the risks of material management (whether caused by error or fraud) in a financial statement audit • The design and performance of audit procedures whose nature, timing and extent are responsive to the assessed risks 8 Overview Of Risk Assessment Standards (Cont.) The statements also establish standards and provide guidance on: • Planning and supervision • The nature of audit evidence, and • Evaluating whether the audit evidence obtained affords a reasonable basis for an opinion regarding the financial statements under audit 9 Overview Of Risk Assessment Standards (Cont.) The primary objective is to enhance auditors’ application of the audit risk model in practice by specifying, among other things: • More in-depth understanding of the entity and its environment, including its internal controls, to identify the risks of material misstatement in the financial statements and what the entity is doing to mitigate them • More rigorous assessment of the risks of material misstatement of the financial statements, based on that understanding • Improved linkage between the assessed risks and the nature, timing and extent of audit procedures performed in response to those risks 10 Risk Assessment Provisions ● The major risk assessment provisions are designed to: Expand the quality and depth of the auditor’s required understanding of the entity and its environment, including its internal controls Require the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtained Eliminate the “default to maximum” for control risk, which should encourage testing of controls 11 Risk Assessment Provisions (Cont.) ● The major risk assessment provisions are designed to: Emphasize the importance of the entity’s risk assessment process Strengthen the linkage between assessed risks and the auditor’s response to those risks Clarify the auditor’s ability to rely on audit evidence gathered in prior audits Strengthen guidance for testing disclosures Clarify and expand guidance on evaluating audit findings, and Expand documentation requirements 12 SAS No. 104 ● Expands the definition of “reasonable assurance” to a high, but not absolute, level of assurance ● Requires the auditor to plan and perform the audit to limit audit risk to a low level 13 SAS No. 105 ● Expands the scope of the understanding that the auditor must obtain in the second standard of field work from “internal control” to “the entity and its environment, including its internal control” ● The quality and depth of the understanding to be obtained is emphasized by amending its purpose from “planning the audit” to “assessing the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures” ● Use of generic or standard audit programs is not appropriate, since risk varies among entities being audited 14 SAS No. 106 ● Introduces the concept of “risk assessment procedures” ● Identifies risk assessment procedures Inquiries of management and others in the entity Analytical procedures Observation, inspection and other audit evidence ● Clearly states that inquiry alone is not sufficient in evaluating the design of an internal control and to determine whether it has been implemented ● Recategorizes assertions by classes of transactions and events, account balances, and presentation and disclosure; and describes how the auditor uses relevant assertions to assess risk and design audit procedures 15 Financial Statement Assertions SAS 106 identifies 13 assertions rather than five. The assertions are as follows: Assertions per SAS 106, paragraph. 15 Transactions Acct Balances Presentation No. Of Assertions Occurrence Completeness Accuracy Cutoff Classification Existence Rights & Obligations Completeness Valuation & Allocation Occurrence & Rights & Obligations Completeness Classification & Understandability Accuracy & Valuation 13 16 SAS No. 107 ● ● SAS No. 107 states that the auditor must consider audit risk and must determine a materiality level for the financial statements taken as a whole The determination of materiality takes into account how users with the following characteristics could reasonably be expected to be influenced in making economic decisions. Users are assumed to: Have an appropriate business knowledge and a willingness to study the financial statements Understand that financial statements are prepared and audited to levels of materiality Recognize the uncertainties inherent (estimates, judgments, consideration of future events) Make appropriate economic decisions on the basis of information in the financial statements 17 SAS No. 107 (Cont.) ● Audit risk consists of: The risk of material misstatement (consisting of inherent risk and control risk) – that the relevant assertions related to balances, classes or disclosures contain misstatements (whether caused by error or fraud) that could be material to the financial statements, when aggregated with misstatements in other relevant assertions related to balances, classes, or disclosures The risk (detection risk) that the auditor will not detect such misstatements 18 SAS No. 107 (Cont.) ● Tolerable misstatement is the maximum error in a population that the auditor is willing to accept When assessing the risks of material misstatements and designing and performing further audit procedures to respond to the assessed risks, the auditor should allow for the possibility that some misstatements of lesser amounts than the materiality levels could, in the aggregate, result in a material misstatement of the financial statements. To do so, the auditor should determine one or more levels of tolerable misstatement. Such levels of tolerable misstatement are normally lower than the materiality levels 19 SAS No. 107 (Cont.) ● “The auditor must accumulate all known and likely misstatements identified during the audit, other than those that the auditor believes are trivial, and communicate them to the appropriate level of management” (SAS No. 107) The auditor should request management to record adjustments needed to correct all known misstatements When the misstatements are considered likely, the auditor should request that management examine the situation in order to identify and correct misstatements therein 20 SAS No. 108 ● SAS No. 108 provides guidance on: Appointment of the independent auditor Establishing an understanding with the client (should be written) Preliminary engagement activities The overall audit strategy (formerly “audit approach”) The audit plan (formerly “audit program”) Determining the extent of involvement of professionals possessing specialized skills Using a professional possessing information technology (IT) skills to understand the effect of IT on the audit Additional considerations in initial audit engagement; Supervision of assistants 21 SAS No. 109 ● SAS No. 109 establishes requirements and provides guidance about implementing the second standard of fieldwork, as follows: The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures The auditor should assess the risk of material misstatement at both the financial statement and relevant assertion levels Under the previous standard, the primary purpose of gaining an understanding of internal control was to plan the audit 22 SAS No. 109 (Cont.) ● SAS No. 109 states that the audit team should discuss the susceptibility of the entity’s financial statements to material misstatement Previous standards did not require a “brainstorming” session to discuss the risk of material misstatements This discussion can be held concurrently with the SAS No. 99 fraud brainstorming session, and SAS 109 requires that this discussion among the audit team members be appropriately documented 23 SAS No. 110 ● SAS No. 110 provides guidance on determining overall responses, and designing and performing further audit procedures, to respond to assessed risks of material misstatements at the financial statement and relevant assertion levels. The auditor’s overall responses to address the assessed risks of material misstatement at the financial statement level may include: Emphasizing professional skepticism in gathering and evaluating audit evidence Assigning more experienced personnel or those with specialized skills Providing more supervision Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed, and Making general changes to the nature, timing or extent of further audit procedures 24 SAS No. 110 (Cont.) ● In designing further audit procedures, the auditor should consider such matters as: The significance of the risk The likelihood that a material misstatement will occur The characteristics of the class of transactions, account balance or disclosure involved The nature of the specific controls used by the entity – in particular, whether they are manual or automated Whether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing or detecting material misstatements 25 SAS No. 110 (Cont.) ● ● ● The auditor should perform tests of controls when: The auditor’s risk assessment includes an expectation of the operating effectiveness of controls; or Substantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion level When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor should determine what additional audit evidence should be obtained for the remaining period If the auditor plans to rely on the operating effectiveness of controls intended to mitigate a significant risk, the auditor should obtain audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period 26 SAS No. 110 (Cont.) ● SAS No. 110 states that the auditor should perform certain substantive procedures for all engagements. These procedures include: Performing substantive tests for all relevant assertions related to each material class of transactions, account balances and disclosures, regardless of the assessment of the risk of material misstatement Agreeing the financial statements, including their accompanying notes, to the underlying accounting records Examining material journal entries and other adjustments made during the course of preparing the financial statements 27 SAS No. 111 ● SAS No. 111 provides guidance relating to the auditor’s judgment about establishing tolerable misstatement for a specific audit procedure and on the application of sampling to tests of controls. This statement amends SAS No. 39, Audit Sampling, to state the following: When planning a sample for a test of details, the auditor should determine the tolerable misstatement for the sample Tolerable misstatement is the maximum error in a population (for example, the class of transactions or account balance) that the auditor is willing to accept. This term may be referred to as tolerable error in other standards 28 SAS No. 111 (Cont.) ● ● An auditor who applies statistical sampling uses tables or formulas to compute sample size based on these judgments An auditor who applies non-statistical sampling uses professional judgment to relate these factors in determining the appropriate sample size. Ordinarily, this would result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters 29 SAS No. 111 (Cont.) ● To determine the number of items to be selected in a sample for a particular test of details, the auditor should consider: Tolerable misstatement Expected misstatement Audit risk Characteristics of the population Assessed risk of material misstatement (inherent risk and control risk) Assessed risk for other substantive procedures related to the same assertion 30 Conclusions ● How will these standards impact me? Public accountants: – Revisions to audit approach – Increased focus on assessing risks – Increased procedures relative to internal controls – Documentation Private accountants – Opportunity to reduce costs by: • Preparation of comprehensive documentation of policies and procedures • Identification of key internal controls • Identification of risk exposure • Preparation of the financial statements and related disclosures – Increased focus on good corporate governance – Higher-quality financial reporting – Business process improvements 31 Lessons For Companies 32 Lessons For Companies ● Recent events in the financial markets raise many questions Do companies understand the risk assessment processes? Do people really understand what risks their company faces? How are you dealing with the risk of fraudulent financial reporting? ● SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Are we so concerned with material misstatement in the financial statements that we’ve lost sight of business risk? 33 What Should Companies Be Doing? Answer the following questions: ● How is risk defined at your company (or, is defined)? ● How effective is your governance process over risk? ● What risks exist today? ● What processes exist to analyze your risk? ● What processes exist to quantify your risk? ● What processes exist to be sure all business units understand your risk profile? ● What is being done to mitigate your risks? ● What keeps you up at night? 34 The Audit Risk Model ● Audit risk (AR) = Inherent risk (IR) X control risk (CR) X detection risk (DR) ● ● ● AR = IR X CR X DR Components of audit risk Inherent risk – Risk existing in balances or transactions (Complexity , judgment, theft, obsolescence) Control risk – Risk that ICFR isn’t effective Detection risk – Risk that error will not be found ● ● 35 Internal Audit Engagement Approach 36 Phase 1: Scoping And Understanding Business Objectives ● Obtain a clear and comprehensive understanding of your: Environment Organization culture Objectives The operating model in which the internal control structure must operate and be effective to mitigate enterprise risk ● How is this accomplished? By interviews with key management personnel Review of any previous risk assessments Audit plans, strategic plans, marketing plans, financial budgets, management representation letters and IT plans 37 Phase 2: Risk Assessment ● Develop an assessment of risks: business, financial, operational, compliance, as well as any others that are pertinent given the organizational objectives ● Focus is on the areas of high risk and areas that are important to management in the achievement of its business objectives ● To the extent available, use your internal audit function, as it is an integral part of keeping management informed of opportunities for efficiencies and improvements in an organization’s internal control structure 38 Phase 3: Develop Audit Plan ● Once the risk assessment is complete, develop and prepare a document that identifies the potential audit universe ● This document will identify each audit area, along with an assigned risk rating and recommended audit cycle ● Develop a current-year audit schedule ● Ensure that the plan will meet your goals and objectives 39 Phase 4: Execute Audit Plan ● Begin each audit with a pre-audit meeting ● Once scope has been set and communicated, develop and execute the test plans Include detailed testing Interviewing Process-mapping Document review Observation ● Throughout this phase, your team should continuously communicate with management as to progress, potential issues and needs 40 Phase 5: Reporting And Monitoring During the course of any audit, issues will surely arise. These should be reported in three ways 1. Continuously communicate with management as your teams progress through each audit 2. Prepare a summary document that reflects all of the issues noted during the course of the audit 3. Draft a formal audit report that reflects all previously discussed issues, recommendations and management’s agreed-to action plans 41 New SEC Guidance ● Released in conjunction with proposed Auditing Standard No. 5 (AS-5) ● Key points in release: Top-down, risk based approach Entity-level, anti-fraud and compensating controls become more important Evaluation of controls based on identification and assessment of risk Subsequent years’ effort will be reduced (focus only on changes in risk) IT general controls necessary to address financial reporting risks Evidence (amount of testing) based on risk assessment 42 Road Map For Compliance Planning/ Scoping Phase Documentation Phase Develop Project Plan & Scoping Document/Update the “As Is” Process & Controls Develop/Update RCMs & Test Scripts (Identification of Key Controls) Key Control Testing Operating Effectiveness Gaps Operating Effectiveness Gaps Enterprise Risk Assessment Fraud Assessment Project scope Project Plan Testing Phase Design Gaps Remediation Remediation will require re-testing of the control after the fix is implemented. It may involve documentation update as well 43 Some Key Factors To Consider Typical areas of concern • Non-routine transactions • Estimates • IT general and application-level controls • Depth of testing to substantiate effectiveness of control • Judgment on severity of identified weakness • Effective PMO • Timely remediation of gaps 44 Achieving Effective ICFR The COSO Framework ● ● ● ● ● Control environment Risk Assessment Control activities Information and communication Monitoring 45 Control Environment ● ● ● ● ● ● ● Integrity and ethical values Board of directors Management’s philosophy and operating style Organizational structure Financial reporting competencies Authority and responsibility Human resources 46 Risk Assessment ● Financial reporting objectives ● Financial reporting risks ● Fraud risk 47 Control Activities ● Integration with risk assessment ● Selection and development of control activities ● Policies and procedures ● Information technology 48 Information And Communication ● Financial reporting information ● Internal control information ● Internal communication ● External communication 49 Monitoring ● Ongoing and separate evaluations ● Reporting deficiencies 50 Management To-Dos ● What could go wrong? ● Focus on risks that are significant and likely ● Know the objectives of internal controls Provide effectiveness and efficiency of operations Ensure reliable financial reporting Comply with laws and regulations 51 Early Experiences From Implementation Of SAS 104-111 52 Implementation Summer 2006 through Fall 2007 ● ● ● Extensive training for auditors Over-communication with clients Awareness: Informing clients of changes in audit standards Increased time required to complete the audit Increased fees Overall impact on the audit Comprehensive revisions to audit methodology 53 Before The Risk Standards ● SAS 112, Communication of Control Deficiencies Redefined material weaknesses, significant deficiencies and deficiencies, while eliminating the term “reportable condition” Enhanced required communications (need to repeat SD and MW) Required auditors to inform the clients whether the identified control deficiencies are significant deficiencies or material weaknesses Huge impact when combined with new risk-based standards 54 SAS 112 Letters Change in terminology – Classification of comments ● Material weakness – A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by the entity’s internal controls 55 SAS 112 Letters (Cont.) Change in terminology – Classification of comments ● Significant deficiency – A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process or report financial data reliably in accordance with generally accepted accounting principles, such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected by the entity’s internal control 56 SAS 112 Letters (Cont.) Change in terminology – Classification of comments ● Deficiency – A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis ● Best practice – A matter which you may find of interest – not related to a control matter (in theory, these comments should address how management can improve their operations and are viewed as “valueadded” comments) 57 SAS 112 Letters (Cont.) Deficiency communication – What is the control issue, what is the risk, what is the recommendation? Testing LIFO Unit Counts Observation: Business Risk: Recommendation: Management’s Response: Significant Deficiency During our testing of the LIFO reserve, we noted several instances where the same item in multiple inventory locations had a different LIFO unit cost. Most differences in LIFO unit costs had immaterial impacts on the LIFO reserve calculation, and correspondingly, net income. One instance resulted in the misstatement of net income from 2002-2007 by approximately $580,000. However, the cumulative impact over time was only $60,000. Management has not compared LIFO costs between locations to ensure that the same base year cost is being utilized. The business risk associated with this deficiency is that the LIFO reserve may not be fairly stated and, as noted above, income may be misstated. We recommend that management implements control procedures as part of its monthly closing process to check for similar instances so that any errors are identified and resolved timely. Management will look into implementing procedures during the next fiscal year to improve the LIFO costing process and verify no errors exist. (Implemented prescribed formats for management comment letters) 58 SAS 104-111 Early Experiences – Changes In Audits ● ● ● ● ● Materiality levels have changed (usually lower) Confirmation testing has increased More receivable confirmations, for example More extensive understanding of internal controls Observing, reviewing, corroborating supporting evidence Additional time spent with client personnel More extensive understanding of IT controls Observing, reviewing, corroborating supporting evidence Time spent understanding the interplay with manual controls Enhanced IT control testing 59 SAS 104-111 Early Experiences – Changes In Audits (Cont.) ● ● ● More extensive testing of internal controls Manual and computer controls More linkage of reliance on controls to other substantive testing Understand entity level controls – risk impact – linkage Conveyance of SAS 104-111 to foreign auditors, for them to comply with U. S. GAAS requirements 60 SAS 104-111 Early Experiences – Client Matters ● ● Our auditors are requesting more information regarding: Internal controls – computer and manual Various procedures – corroborating Client policies – not always written This information must be supported by written internal documentation Must be maintained by the client Should not simply be the internal control questionnaires or forms maintained by the outside auditor 61 SAS 104-111 Early Experiences – Client Matters (Cont.) ● ● More formal documentation is required of our clients Journal entries – documentation of who prepared and who reviewed Account reconciliations – documentation of who prepared and who reviewed Monthly results – formal documentation of the review of actual results to budgeted results and same month/prior year results Some clients feel that “the playing field has changed,” while other clients “embrace the enhanced audit standards” 62 SAS 104-111 Early Experiences – Auditor Issues/Comments ● “The risk assessment standards had little effect on the design of certain audit procedures” Auditors are still spending time on areas where risk of misstatement is not great Example of long-term debt – Client performs, reviews and documents the reconciliation process, from lender statements to the general ledger – Audit team still sends confirmations, tests interest reasonableness and performs other non-value added audit procedures 63 SAS 104-111 Early Experiences – Auditor Issues/Comments (Cont.) ● “The risk assessment standards drive deficiency communication even without audit adjustments” Client did not document any of their controls, and controls could not be corroborated by the auditors Client got the answer right in the end; standards indicate the need to communicate deficiencies even without an audit adjustment Lesson per the standard: “It is not appropriate to be lucky vs. good when it involves controls” 64 SAS 104-111 Early Experiences – Auditor Issues/Comments (Cont.) Corroboration > inquiry ● In the past, we would inquire as to who had wire transfer authority ● Now, we would ask to see an official list provided to, or confirmed by, the bank ● Many times, we find terminated employees on that list, which we would not have seen if we depended on inquiry 65 SAS 104-111 Early Experiences – Awkward Situations With Clients ● Prior audits – The auditors proposed/prepared journal entries representing proposed corrections of accounting records Prior to risk assessment standards, maybe no management comments addressed this issue This year, audit team issued a “material weakness” regarding accounting and reporting relating to the proposed corrections of the accounting records Corrections are usually an indicator that controls were not functioning correctly or do not exist to keep accounting information correct 66 SAS 104-111 Early Experiences – Awkward Situations With Clients (Cont.) ● Hesitation to provide completed trial balances or schedules Clients do not want any deficiencies (or significant deficiencies or material weaknesses) Clients then hold back providing schedules or intentionally omit certain line items (e.g., income taxes) Ultimate result is a “debate” as to who identified the need for an adjusting entry 67 SAS 104-111 Early Experiences – Awkward Situations with Clients (Cont.) ● ● ● Complex accounting issues Hedge accounting – FAS No. 133 Clients not taking responsibility to comply with standard Clients ultimately rely on outside auditors Sometimes judgmental issues Extra time spent “debating” classification of comments Clients want “best practices” Control observations are deficiencies Must repeat observations or make reference to prior observations if still present – added communication 68 SAS 104-111 Early Experiences – Awkward Situations with Clients (Cont.) Owner-managed businesses ● Little or no documentation of entity-level controls ● No formal meetings among ownership, management, others ● No corporate governing committee Resulting in no formal documentation of: ● Review of financial statements ● Approval of significant, unusual transactions ● Changes to employment policies Clients ask: ● What is the value of documenting these processes? 69 SAS 104-111 Early Experiences – Client Interactions ● Instances where all risk assessments were completed well in advance of year-end We met with management and those charged with governance to discuss the significant deficiencies Management adopted all recommendations and made changes in their control system (policies/procedures) prior to year-end and corrected past information, if necessary We considered this similar to remediation under AS-5, Public Company Audit Requirement No control-related deficiencies in their SAS 112 letter 70 SAS 104-111 Early Experiences - Conclusions ● ● ● This is not a “blame game” How can auditors help you? The recommendation is the key More communications with your auditors Anything that will drive more communication with your auditors will be good for you . . . unless you have something to hide Inherent risk CFOs cannot control inherent risk (e.g., economic times, gas at $4.25 per gallon) Must think about controls in place to deter those employees who may be tempted to steal inventory, use manual checks for personal use, etc. 71 SAS 104-111 Early Experiences – Conclusion (Cont.) ● ● ● Win for the client More information about their control systems More communication with auditors about risks Win for the auditors More communication with clients Better understanding about control systems Win for the public trust Better financial information Improved interim financial reporting due to enhanced controls 72 A Look Forward 73 Looking Forward After SAS 104-111 ● SAS No. 115 ● PCAPB proposal of seven new auditing standards 74 Statement On Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters in an Audit ● Supersedes SAS No. 112 ● Revisions to definitions to align with AS-5 ● Implications for government audits ● Management letter change 75 Material Weakness A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility1 that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected 1FAS No. 5 – Remote, Reasonably Possible and Probable 76 Significant Deficiency A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance 77 Implications For Government Audits “Not Yet Adopted” ● ● ● ● Government Auditing Standards Circular A-133 Other similar federal regulations Audit guides ¾ Do not implement early SAS No. 115 under these standards! 78 Management Letter Changes “Auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be significant deficiencies or material weaknesses and therefore, there can be no assurance that all deficiencies, significant deficiencies or material weaknesses have been identified” 79 Communication Content ● Best made by report release date ● No later than 60 days following release date ● Include statement indicating consideration of internal controls not designed to identify all SD or MW Effective Date ● Periods ending on or after Dec. 15, 2009 Earlier implementation is permitted, except as previously noted 80 PCAOB – Proposal Of Seven New Standards ● Proposed Oct. 21, 2008 ● 120-day comment period expires Feb. 18, 2009 ● Replaces existing “Interim PCAOB Standards” ● All proposed standards deal with audit risk 81 PCAOB – Proposal Of Seven New Standards (Cont.) The proposed new standards are: ● Audit Risk in an Audit of Financial Statements ● Audit Planning and Supervision ● Identifying and Assessing Risks of Material Misstatement ● The Auditor’s Responses to the Risks of Material Misstatements ● Evaluating Audit Results ● Consideration of Materiality in Planning and Performing an Audit ● Audit Evidence 82 PCAOB – Proposal Of Seven New Standards (Cont.) Improvements to audits of public companies The PCAOB has stated that the proposed standards: ● Would update the existing requirements to take account of the improved risk-based audit methodologies currently in use by some auditors ● Should enhance integration of the audit of the financial statements with the audit of internal control over financial reporting, resulting in more effective audits ● Would integrate the auditor’s current responsibilities for considering fraud during the audit ● Would serve as an improved foundation for future standard-setting ● Reflect the Board’s effort to reduce unnecessary differences with the risk assessment standards of other auditing standard-setters 83