Presentation

advertisement
SAS 104-111 Teleconference
Jan. 15, 2009
Craig Funkhouser, Crowe Horwath LLP
craig.funkhouser@crowehorwath.com
Ken Goldmann, J.H. Cohn
kgoldmann@jhcohn.com
1
Today’s Program
Historical Background, Review Of Key Terms Of SAS 104-111:
Craig Funkhouser, Slides 3 Through 31
Lessons For Companies: Ken Goldmann, Slides 32 Through 51
Early Experiences From Implementation Of SAS 104-111: Craig
Funkhouser, Slides 52 Through 72
A Look Forward: Craig Funkhouser And Ken Goldmann, Slides 73
Through 83
2
Historical Background, Review Of
Key Terms Of SAS 104-111
3
How Did We Get Here?
●
●
●
●
●
●
●
●
●
Bad publicity beginning with Enron: 2001
Congress passes the Sarbanes-Oxley Act of 2002
AICPA issues SAS No. 99, Consideration of Fraud in a Financial
Statement Audit, effective in 2003
PCAOB issues Audit Standard No. 2, Audit of Internal Control Over
Financial Reporting Performed in Conjunction With an Audit of
Financial Statements, in 2004
AICPA issues SAS No. 103, December 2005
AICPA issues SAS Nos. 104 through 111, March 2006
AICPA issues SAS No. 112, May 2006
AICPA issues SAS No. 114, December 2006
PCAOB issues Audit Standard No. 5, An Audit of Internal Control
Over Financial Reporting That is Integrated with an Audit of
Financial Statements, 2007
4
AICPA Risk Assessment Standards
●
Eight new auditing standards
ƒ
ƒ
ƒ
Enhance auditor performance
Improve audit effectiveness
Encourage auditors to focus on areas where the risk of
misstatement is the greatest
●
Effective for audits of financial statements for periods beginning on
or after Dec. 15, 2006
●
SAS 103 and SAS 112 were effective for periods ending on or after
Dec. 15, 2006 and are NOT considered part of the risk assessment
standards
●
SAS 114 – The auditor’s communication with those charged with
governance is effective for periods beginning on or after Dec. 15,
2006 and is NOT considered part of the risk assessment standards
5
SAS Nos. 103, 112 And 114
●
●
●
SAS No. 103, Audit Documentation
ƒ Effective for periods ending after Dec. 15, 2006
ƒ Changes documentation standards, supersedes SAS No. 96
ƒ Changes how auditors date their audit reports
SAS No. 112, Communicating Internal Control Related Matters Identified in
an Audit
ƒ Effective for periods ending after Dec. 15, 2006
ƒ Changes the classification of control deficiencies
ƒ Changes how auditors assess severity of deficiencies
ƒ Changes communication requirements
SAS No. 114, The Auditor’s Communication with Those Charged with
Governance
ƒ Effective for periods beginning after Dec. 15, 2006
ƒ Changes “required communications,” supersedes SAS No. 61
ƒ Not only for companies who maintain an audit committee
6
Overview Of Risk Assessment
Standards
●
●
●
●
●
●
●
●
Statement on Auditing Standards (SAS) No. 104 – Amendment to
SAS No. 1, Codification of Auditing Standards and Procedures
SAS No. 105 – Amendment to SAS No. 95, Generally Accepted
Auditing Standards
SAS No. 106 – Audit Evidence
SAS No. 107 – Audit Risk and Materiality in Conducting an Audit
SAS No. 108 – Planning and Supervision
SAS No. 109 – Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement
SAS No. 110 – Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence Obtained
SAS No. 111 – Amendment to SAS No. 39, Audit Sampling
7
Overview Of Risk Assessment
Standards (Cont.)
These statements establish standards and provide guidance concerning:
•
The auditor’s assessment of the risks of material management (whether
caused by error or fraud) in a financial statement audit
•
The design and performance of audit procedures whose nature, timing
and extent are responsive to the assessed risks
8
Overview Of Risk Assessment
Standards (Cont.)
The statements also establish standards and provide guidance on:
• Planning and supervision
• The nature of audit evidence, and
• Evaluating whether the audit evidence obtained affords a
reasonable basis for an opinion regarding the financial
statements under audit
9
Overview Of Risk Assessment
Standards (Cont.)
The primary objective is to enhance auditors’ application of the audit
risk model in practice by specifying, among other things:
• More in-depth understanding of the entity and its environment,
including its internal controls, to identify the risks of material
misstatement in the financial statements and what the entity
is doing to mitigate them
• More rigorous assessment of the risks of material misstatement
of the financial statements, based on that understanding
• Improved linkage between the assessed risks and the nature,
timing and extent of audit procedures performed in response to
those risks
10
Risk Assessment Provisions
●
The major risk assessment provisions are designed to:
ƒ Expand the quality and depth of the auditor’s required
understanding of the entity and its environment, including its
internal controls
ƒ Require the auditor to assess the risks of material misstatements
at the financial statement level and at the assertion level on all
audits based on the understanding obtained
ƒ Eliminate the “default to maximum” for control risk, which
should encourage testing of controls
11
Risk Assessment Provisions (Cont.)
●
The major risk assessment provisions are designed to:
ƒ Emphasize the importance of the entity’s risk assessment
process
ƒ Strengthen the linkage between assessed risks and the auditor’s
response to those risks
ƒ Clarify the auditor’s ability to rely on audit evidence gathered in
prior audits
ƒ Strengthen guidance for testing disclosures
ƒ Clarify and expand guidance on evaluating audit findings, and
ƒ Expand documentation requirements
12
SAS No. 104
●
Expands the definition of “reasonable assurance” to a high, but not
absolute, level of assurance
●
Requires the auditor to plan and perform the audit to limit audit risk
to a low level
13
SAS No. 105
●
Expands the scope of the understanding that the auditor must obtain
in the second standard of field work from “internal control” to
“the entity and its environment, including its internal control”
●
The quality and depth of the understanding to be obtained is
emphasized by amending its purpose from “planning the audit” to
“assessing the risk of material misstatement of the financial
statements whether due to error or fraud and to design the nature,
timing, and extent of further audit procedures”
●
Use of generic or standard audit programs is not appropriate, since
risk varies among entities being audited
14
SAS No. 106
●
Introduces the concept of “risk assessment procedures”
●
Identifies risk assessment procedures
ƒ Inquiries of management and others in the entity
ƒ Analytical procedures
ƒ Observation, inspection and other audit evidence
●
Clearly states that inquiry alone is not sufficient in evaluating the
design of an internal control and to determine whether it has been
implemented
●
Recategorizes assertions by classes of transactions and events,
account balances, and presentation and disclosure; and describes
how the auditor uses relevant assertions to assess risk and design
audit procedures
15
Financial Statement Assertions
SAS 106 identifies 13 assertions rather than five. The assertions are as
follows:
Assertions per SAS 106, paragraph. 15
Transactions
Acct Balances
Presentation
No. Of Assertions
Occurrence
Completeness
Accuracy
Cutoff
Classification
Existence
Rights & Obligations
Completeness
Valuation & Allocation
Occurrence & Rights & Obligations
Completeness
Classification & Understandability
Accuracy & Valuation
13
16
SAS No. 107
●
●
SAS No. 107 states that the auditor must consider audit risk and
must determine a materiality level for the financial statements taken
as a whole
The determination of materiality takes into account how users with
the following characteristics could reasonably be expected to be
influenced in making economic decisions. Users are assumed to:
ƒ Have an appropriate business knowledge and a willingness to
study the financial statements
ƒ Understand that financial statements are prepared and audited to
levels of materiality
ƒ Recognize the uncertainties inherent (estimates, judgments,
consideration of future events)
ƒ Make appropriate economic decisions on the basis of
information in the financial statements
17
SAS No. 107 (Cont.)
●
Audit risk consists of:
ƒ The risk of material misstatement (consisting of inherent risk
and control risk) – that the relevant assertions related to
balances, classes or disclosures contain misstatements (whether
caused by error or fraud) that could be material to the financial
statements, when aggregated with misstatements in other
relevant assertions related to balances, classes, or disclosures
ƒ
The risk (detection risk) that the auditor will not detect such
misstatements
18
SAS No. 107 (Cont.)
●
Tolerable misstatement is the maximum error in a population that the
auditor is willing to accept
ƒ When assessing the risks of material misstatements and
designing and performing further audit procedures to respond to
the assessed risks, the auditor should allow for the possibility
that some misstatements of lesser amounts than the materiality
levels could, in the aggregate, result in a material misstatement
of the financial statements. To do so, the auditor should
determine one or more levels of tolerable misstatement. Such
levels of tolerable misstatement are normally lower than the
materiality levels
19
SAS No. 107 (Cont.)
●
“The auditor must accumulate all known and likely misstatements
identified during the audit, other than those that the auditor believes
are trivial, and communicate them to the appropriate level of
management” (SAS No. 107)
ƒ
The auditor should request management to record adjustments
needed to correct all known misstatements
ƒ
When the misstatements are considered likely, the auditor
should request that management examine the situation in order
to identify and correct misstatements therein
20
SAS No. 108
●
SAS No. 108 provides guidance on:
ƒ Appointment of the independent auditor
ƒ Establishing an understanding with the client (should be written)
ƒ Preliminary engagement activities
ƒ The overall audit strategy (formerly “audit approach”)
ƒ The audit plan (formerly “audit program”)
ƒ Determining the extent of involvement of professionals possessing
specialized skills
ƒ Using a professional possessing information technology (IT) skills to
understand the effect of IT on the audit
ƒ Additional considerations in initial audit engagement;
ƒ Supervision of assistants
21
SAS No. 109
●
SAS No. 109 establishes requirements and provides guidance
about implementing the second standard of fieldwork, as follows:
ƒ The auditor must obtain a sufficient understanding of the
entity and its environment, including its internal control, to
assess the risk of material misstatement of the financial
statements whether due to error or fraud, and to design the
nature, timing, and extent of further audit procedures
ƒ The auditor should assess the risk of material misstatement
at both the financial statement and relevant assertion levels
ƒ Under the previous standard, the primary purpose of gaining
an understanding of internal control was to plan the audit
22
SAS No. 109 (Cont.)
●
SAS No. 109 states that the audit team should discuss the
susceptibility of the entity’s financial statements to material
misstatement
ƒ Previous standards did not require a “brainstorming” session to
discuss the risk of material misstatements
ƒ This discussion can be held concurrently with the SAS No. 99
fraud brainstorming session, and SAS 109 requires that this
discussion among the audit team members be appropriately
documented
23
SAS No. 110
●
SAS No. 110 provides guidance on determining overall responses, and
designing and performing further audit procedures, to respond to assessed
risks of material misstatements at the financial statement and relevant
assertion levels. The auditor’s overall responses to address the assessed risks
of material misstatement at the financial statement level may include:
ƒ Emphasizing professional skepticism in gathering and evaluating audit
evidence
ƒ Assigning more experienced personnel or those with specialized skills
ƒ Providing more supervision
ƒ Incorporating additional elements of unpredictability in the selection of
further audit procedures to be performed, and
ƒ Making general changes to the nature, timing or extent of further audit
procedures
24
SAS No. 110 (Cont.)
●
In designing further audit procedures, the auditor should consider
such matters as:
ƒ The significance of the risk
ƒ The likelihood that a material misstatement will occur
ƒ The characteristics of the class of transactions, account balance
or disclosure involved
ƒ The nature of the specific controls used by the entity – in
particular, whether they are manual or automated
ƒ Whether the auditor expects to obtain audit evidence to
determine if the entity’s controls are effective in preventing or
detecting material misstatements
25
SAS No. 110 (Cont.)
●
●
●
The auditor should perform tests of controls when:
ƒ The auditor’s risk assessment includes an expectation of the
operating effectiveness of controls; or
ƒ Substantive procedures alone do not provide sufficient
appropriate audit evidence at the relevant assertion level
When the auditor obtains audit evidence about the operating
effectiveness of controls during an interim period, the auditor should
determine what additional audit evidence should be obtained for the
remaining period
If the auditor plans to rely on the operating effectiveness of controls
intended to mitigate a significant risk, the auditor should obtain audit
evidence about the operating effectiveness of those controls from
tests of controls performed in the current period
26
SAS No. 110 (Cont.)
●
SAS No. 110 states that the auditor should perform certain
substantive procedures for all engagements. These procedures
include:
ƒ Performing substantive tests for all relevant assertions related to
each material class of transactions, account balances and
disclosures, regardless of the assessment of the risk of material
misstatement
ƒ Agreeing the financial statements, including their accompanying
notes, to the underlying accounting records
ƒ Examining material journal entries and other adjustments made
during the course of preparing the financial statements
27
SAS No. 111
●
SAS No. 111 provides guidance relating to the auditor’s judgment
about establishing tolerable misstatement for a specific audit
procedure and on the application of sampling to tests of controls.
This statement amends SAS No. 39, Audit Sampling, to state the
following:
ƒ When planning a sample for a test of details, the auditor should
determine the tolerable misstatement for the sample
ƒ Tolerable misstatement is the maximum error in a population
(for example, the class of transactions or account balance)
that the auditor is willing to accept. This term may be referred
to as tolerable error in other standards
28
SAS No. 111 (Cont.)
●
●
An auditor who applies statistical sampling uses tables or formulas
to compute sample size based on these judgments
An auditor who applies non-statistical sampling uses professional
judgment to relate these factors in determining the appropriate
sample size. Ordinarily, this would result in a sample size
comparable to the sample size resulting from an efficient and
effectively designed statistical sample, considering the same
sampling parameters
29
SAS No. 111 (Cont.)
●
To determine the number of items to be selected in a sample for a
particular test of details, the auditor should consider:
ƒ Tolerable misstatement
ƒ Expected misstatement
ƒ Audit risk
ƒ Characteristics of the population
ƒ Assessed risk of material misstatement (inherent risk and control
risk)
ƒ Assessed risk for other substantive procedures related to the
same assertion
30
Conclusions
●
How will these standards impact me?
ƒ Public accountants:
– Revisions to audit approach
– Increased focus on assessing risks
– Increased procedures relative to internal controls
– Documentation
ƒ Private accountants
– Opportunity to reduce costs by:
• Preparation of comprehensive documentation of policies and
procedures
• Identification of key internal controls
• Identification of risk exposure
• Preparation of the financial statements and related disclosures
– Increased focus on good corporate governance
– Higher-quality financial reporting
– Business process improvements
31
Lessons For Companies
32
Lessons For Companies
●
Recent events in the financial markets raise many questions
ƒ Do companies understand the risk assessment processes?
ƒ Do people really understand what risks their company faces?
ƒ How are you dealing with the risk of fraudulent financial
reporting?
●
SAS No. 109, Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement
ƒ Are we so concerned with material misstatement in the financial
statements that we’ve lost sight of business risk?
33
What Should Companies Be
Doing?
Answer the following questions:
● How is risk defined at your company (or, is defined)?
● How effective is your governance process over risk?
● What risks exist today?
● What processes exist to analyze your risk?
● What processes exist to quantify your risk?
● What processes exist to be sure all business units understand your
risk profile?
● What is being done to mitigate your risks?
● What keeps you up at night?
34
The Audit Risk Model
●
Audit risk (AR) = Inherent risk (IR) X control risk (CR) X
detection risk (DR)
●
●
●
AR = IR X CR X DR
Components of audit risk
Inherent risk – Risk existing in balances or transactions
ƒ (Complexity , judgment, theft, obsolescence)
Control risk – Risk that ICFR isn’t effective
Detection risk – Risk that error will not be found
●
●
35
Internal Audit Engagement
Approach
36
Phase 1: Scoping And Understanding
Business Objectives
● Obtain a clear and comprehensive understanding of your:
ƒ Environment
ƒ Organization culture
ƒ Objectives
ƒ The operating model in which the internal control structure must
operate and be effective to mitigate enterprise risk
● How is this accomplished?
ƒ By interviews with key management personnel
ƒ Review of any previous risk assessments
ƒ Audit plans, strategic plans, marketing plans, financial budgets,
management representation letters and IT plans
37
Phase 2: Risk Assessment
●
Develop an assessment of risks: business, financial, operational,
compliance, as well as any others that are pertinent given the
organizational objectives
●
Focus is on the areas of high risk and areas that are important to
management in the achievement of its business objectives
●
To the extent available, use your internal audit function, as it is
an integral part of keeping management informed of
opportunities for efficiencies and improvements in an
organization’s internal control structure
38
Phase 3: Develop Audit Plan
●
Once the risk assessment is complete, develop and prepare a
document that identifies the potential audit universe
●
This document will identify each audit area, along with an
assigned risk rating and recommended audit cycle
●
Develop a current-year audit schedule
●
Ensure that the plan will meet your goals and objectives
39
Phase 4: Execute Audit Plan
● Begin each audit with a pre-audit meeting
● Once scope has been set and communicated, develop and execute the test
plans
ƒ Include detailed testing
ƒ Interviewing
ƒ Process-mapping
ƒ Document review
ƒ Observation
● Throughout this phase, your team should continuously communicate
with management as to progress, potential issues and needs
40
Phase 5: Reporting And Monitoring
During the course of any audit, issues will surely arise. These should
be reported in three ways
1. Continuously communicate with management as your teams
progress through each audit
2. Prepare a summary document that reflects all of the issues
noted during the course of the audit
3. Draft a formal audit report that reflects all previously
discussed issues, recommendations and management’s
agreed-to action plans
41
New SEC Guidance
●
Released in conjunction with proposed Auditing Standard No. 5
(AS-5)
●
Key points in release:
ƒ
Top-down, risk based approach
ƒ
Entity-level, anti-fraud and compensating controls become more
important
ƒ
Evaluation of controls based on identification and assessment of
risk
ƒ
Subsequent years’ effort will be reduced (focus only on changes
in risk)
ƒ
IT general controls necessary to address financial reporting risks
ƒ
Evidence (amount of testing) based on risk assessment
42
Road Map For Compliance
Planning/
Scoping Phase
Documentation
Phase
Develop
Project Plan &
Scoping
Document/Update
the “As Is”
Process &
Controls
Develop/Update
RCMs &
Test Scripts
(Identification of
Key Controls)
Key Control
Testing
Operating
Effectiveness
Gaps
Operating
Effectiveness
Gaps
Enterprise Risk Assessment
Fraud Assessment
Project scope
Project Plan
Testing Phase
Design Gaps
Remediation
Remediation will require re-testing of the control after the fix is implemented. It may involve
documentation update as well
43
Some Key Factors To Consider
Typical areas of concern
• Non-routine transactions
• Estimates
• IT general and application-level controls
• Depth of testing to substantiate effectiveness of control
• Judgment on severity of identified weakness
• Effective PMO
• Timely remediation of gaps
44
Achieving Effective ICFR
The COSO Framework
●
●
●
●
●
Control environment
Risk Assessment
Control activities
Information and communication
Monitoring
45
Control Environment
●
●
●
●
●
●
●
Integrity and ethical values
Board of directors
Management’s philosophy and operating style
Organizational structure
Financial reporting competencies
Authority and responsibility
Human resources
46
Risk Assessment
●
Financial reporting objectives
●
Financial reporting risks
●
Fraud risk
47
Control Activities
● Integration with risk assessment
● Selection and development of control activities
● Policies and procedures
● Information technology
48
Information And Communication
●
Financial reporting information
●
Internal control information
●
Internal communication
●
External communication
49
Monitoring
● Ongoing and separate evaluations
● Reporting deficiencies
50
Management To-Dos
●
What could go wrong?
●
Focus on risks that are significant and likely
●
Know the objectives of internal controls
ƒ Provide effectiveness and efficiency of operations
ƒ Ensure reliable financial reporting
ƒ Comply with laws and regulations
51
Early Experiences From
Implementation Of SAS 104-111
52
Implementation
Summer 2006 through Fall 2007
●
●
●
Extensive training for auditors
Over-communication with clients
ƒ Awareness: Informing clients of changes in audit standards
ƒ Increased time required to complete the audit
ƒ Increased fees
ƒ Overall impact on the audit
Comprehensive revisions to audit methodology
53
Before The Risk Standards
●
SAS 112, Communication of Control Deficiencies
ƒ Redefined material weaknesses, significant deficiencies and
deficiencies, while eliminating the term “reportable condition”
ƒ Enhanced required communications (need to repeat SD and
MW)
ƒ Required auditors to inform the clients whether the identified
control deficiencies are significant deficiencies or material
weaknesses
ƒ Huge impact when combined with new risk-based standards
54
SAS 112 Letters
Change in terminology – Classification of comments
●
Material weakness – A material weakness is a significant deficiency, or a
combination of significant deficiencies, that results in more than a remote
likelihood that a material misstatement of the financial statements will not
be prevented or detected by the entity’s internal controls
55
SAS 112 Letters (Cont.)
Change in terminology – Classification of comments
●
Significant deficiency – A significant deficiency is a control deficiency,
or combination of control deficiencies, that adversely affects the
entity’s ability to initiate, authorize, record, process or report financial
data reliably in accordance with generally accepted accounting
principles, such that there is more than a remote likelihood that a
misstatement of the entity’s financial statements that is more than
inconsequential will not be prevented or detected by the entity’s
internal control
56
SAS 112 Letters (Cont.)
Change in terminology – Classification of comments
●
Deficiency – A control deficiency exists when the design or
operation of a control does not allow management or employees, in
the normal course of performing their assigned functions, to prevent
or detect misstatements on a timely basis
●
Best practice – A matter which you may find of interest – not related
to a control matter (in theory, these comments should address how
management can improve their operations and are viewed as “valueadded” comments)
57
SAS 112 Letters (Cont.)
Deficiency communication – What is the control issue,
what is the risk, what is the recommendation?
Testing LIFO Unit Counts
Observation:
Business Risk:
Recommendation:
Management’s Response:
Significant Deficiency
During our testing of the LIFO reserve, we noted several instances where the same item
in multiple inventory locations had a different LIFO unit cost. Most differences in LIFO
unit costs had immaterial impacts on the LIFO reserve calculation, and correspondingly,
net income. One instance resulted in the misstatement of net income from 2002-2007 by
approximately $580,000. However, the cumulative impact over time was only $60,000.
Management has not compared LIFO costs between locations to ensure that the same
base year cost is being utilized.
The business risk associated with this deficiency is that the LIFO reserve may not be
fairly stated and, as noted above, income may be misstated.
We recommend that management implements control procedures as part of its monthly
closing process to check for similar instances so that any errors are identified and
resolved timely.
Management will look into implementing procedures during the next fiscal year to
improve the LIFO costing process and verify no errors exist.
(Implemented prescribed formats for management comment letters)
58
SAS 104-111
Early Experiences – Changes In Audits
●
●
●
●
●
Materiality levels have changed (usually lower)
Confirmation testing has increased
ƒ More receivable confirmations, for example
More extensive understanding of internal controls
ƒ Observing, reviewing, corroborating supporting evidence
ƒ Additional time spent with client personnel
More extensive understanding of IT controls
ƒ Observing, reviewing, corroborating supporting evidence
ƒ Time spent understanding the interplay with manual controls
Enhanced IT control testing
59
SAS 104-111
Early Experiences – Changes In Audits
(Cont.)
●
●
●
More extensive testing of internal controls
ƒ Manual and computer controls
ƒ More linkage of reliance on controls to other substantive testing
Understand entity level controls – risk impact – linkage
Conveyance of SAS 104-111 to foreign auditors, for them to comply with
U. S. GAAS requirements
60
SAS 104-111
Early Experiences – Client Matters
●
●
Our auditors are requesting more information regarding:
ƒ Internal controls – computer and manual
ƒ Various procedures – corroborating
ƒ Client policies – not always written
This information must be supported by written internal
documentation
ƒ Must be maintained by the client
ƒ Should not simply be the internal control questionnaires or
forms maintained by the outside auditor
61
SAS 104-111
Early Experiences – Client Matters
(Cont.)
●
●
More formal documentation is required of our clients
ƒ Journal entries – documentation of who prepared and who
reviewed
ƒ Account reconciliations – documentation of who prepared and
who reviewed
ƒ Monthly results – formal documentation of the review of actual
results to budgeted results and same month/prior year results
Some clients feel that “the playing field has changed,” while other
clients “embrace the enhanced audit standards”
62
SAS 104-111
Early Experiences – Auditor
Issues/Comments
●
“The risk assessment standards had little effect on the design of
certain audit procedures”
ƒ Auditors are still spending time on areas where risk of
misstatement is not great
ƒ Example of long-term debt
– Client performs, reviews and documents the reconciliation
process, from lender statements to the general ledger
– Audit team still sends confirmations, tests interest
reasonableness and performs other non-value added audit
procedures
63
SAS 104-111
Early Experiences – Auditor
Issues/Comments (Cont.)
●
“The risk assessment standards drive deficiency communication even
without audit adjustments”
ƒ Client did not document any of their controls, and controls could not
be corroborated by the auditors
ƒ Client got the answer right in the end; standards indicate the need to
communicate deficiencies even without an audit adjustment
ƒ Lesson per the standard: “It is not appropriate to be lucky vs. good
when it involves controls”
64
SAS 104-111
Early Experiences – Auditor
Issues/Comments (Cont.)
Corroboration > inquiry
●
In the past, we would inquire as to who had wire transfer authority
●
Now, we would ask to see an official list provided to, or confirmed
by, the bank
●
Many times, we find terminated employees on that list, which we
would not have seen if we depended on inquiry
65
SAS 104-111
Early Experiences – Awkward
Situations With Clients
●
Prior audits – The auditors proposed/prepared journal entries representing
proposed corrections of accounting records
ƒ Prior to risk assessment standards, maybe no management comments
addressed this issue
ƒ This year, audit team issued a “material weakness” regarding accounting
and reporting relating to the proposed corrections of the accounting
records
ƒ Corrections are usually an indicator that controls were not functioning
correctly or do not exist to keep accounting information correct
66
SAS 104-111
Early Experiences – Awkward
Situations With Clients (Cont.)
●
Hesitation to provide completed trial balances or schedules
ƒ
Clients do not want any deficiencies (or significant deficiencies
or material weaknesses)
ƒ
Clients then hold back providing schedules or intentionally omit
certain line items (e.g., income taxes)
ƒ
Ultimate result is a “debate” as to who identified the need for an
adjusting entry
67
SAS 104-111
Early Experiences – Awkward Situations
with Clients (Cont.)
●
●
●
Complex accounting issues
ƒ Hedge accounting – FAS No. 133
ƒ Clients not taking responsibility to comply with standard
ƒ Clients ultimately rely on outside auditors
ƒ Sometimes judgmental issues
Extra time spent “debating” classification of comments
ƒ Clients want “best practices”
ƒ Control observations are deficiencies
Must repeat observations or make reference to prior observations if still
present – added communication
68
SAS 104-111
Early Experiences – Awkward Situations
with Clients (Cont.)
Owner-managed businesses
● Little or no documentation of entity-level controls
● No formal meetings among ownership, management, others
● No corporate governing committee
Resulting in no formal documentation of:
● Review of financial statements
● Approval of significant, unusual transactions
● Changes to employment policies
Clients ask:
● What is the value of documenting these processes?
69
SAS 104-111
Early Experiences – Client Interactions
●
Instances where all risk assessments were completed well in advance
of year-end
ƒ
We met with management and those charged with governance to
discuss the significant deficiencies
ƒ
Management adopted all recommendations and made changes in
their control system (policies/procedures) prior to year-end and
corrected past information, if necessary
ƒ
We considered this similar to remediation under
AS-5, Public Company Audit Requirement
ƒ
No control-related deficiencies in their SAS 112 letter
70
SAS 104-111
Early Experiences - Conclusions
●
●
●
This is not a “blame game”
ƒ How can auditors help you?
ƒ The recommendation is the key
More communications with your auditors
ƒ Anything that will drive more communication with your auditors
will be good for you . . . unless you have something to hide
Inherent risk
ƒ CFOs cannot control inherent risk (e.g., economic times, gas at
$4.25 per gallon)
ƒ Must think about controls in place to deter those employees who
may be tempted to steal inventory, use manual checks for personal
use, etc.
71
SAS 104-111
Early Experiences – Conclusion
(Cont.)
●
●
●
Win for the client
ƒ More information about their control systems
ƒ More communication with auditors about risks
Win for the auditors
ƒ More communication with clients
ƒ Better understanding about control systems
Win for the public trust
ƒ Better financial information
ƒ Improved interim financial reporting due to enhanced controls
72
A Look Forward
73
Looking Forward
After SAS 104-111
● SAS No. 115
● PCAPB proposal of seven new auditing standards
74
Statement On Auditing Standards
(SAS) No. 115, Communicating
Internal Control Related Matters
in an Audit
●
Supersedes SAS No. 112
●
Revisions to definitions to align with AS-5
●
Implications for government audits
●
Management letter change
75
Material Weakness
A deficiency, or combination of deficiencies, in internal control,
such that there is a reasonable possibility1 that a material
misstatement of the entity’s financial statements will not be
prevented or detected and corrected
1FAS
No. 5 – Remote, Reasonably Possible and Probable
76
Significant Deficiency
A deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough
to merit attention by those charged with governance
77
Implications For Government
Audits
“Not Yet Adopted”
●
●
●
●
Government Auditing Standards
Circular A-133
Other similar federal regulations
Audit guides
¾ Do not implement early SAS No. 115 under these
standards!
78
Management Letter Changes
“Auditor’s consideration of internal control was not designed to
identify all deficiencies in internal control that might be significant
deficiencies or material weaknesses and therefore, there can be no
assurance that all deficiencies, significant deficiencies or material
weaknesses have been identified”
79
Communication Content
●
Best made by report release date
●
No later than 60 days following release date
●
Include statement indicating consideration of internal controls
not designed to identify all SD or MW
Effective Date
●
Periods ending on or after Dec. 15, 2009
Earlier implementation is permitted, except as previously noted
80
PCAOB – Proposal Of Seven New
Standards
●
Proposed Oct. 21, 2008
●
120-day comment period expires Feb. 18, 2009
●
Replaces existing “Interim PCAOB Standards”
●
All proposed standards deal with audit risk
81
PCAOB – Proposal Of Seven New
Standards (Cont.)
The proposed new standards are:
● Audit Risk in an Audit of Financial Statements
● Audit Planning and Supervision
● Identifying and Assessing Risks of Material Misstatement
● The Auditor’s Responses to the Risks of Material Misstatements
● Evaluating Audit Results
● Consideration of Materiality in Planning and Performing an Audit
● Audit Evidence
82
PCAOB – Proposal Of Seven New
Standards (Cont.)
Improvements to audits of public companies
The PCAOB has stated that the proposed standards:
● Would update the existing requirements to take account of the improved
risk-based audit methodologies currently in use by some auditors
● Should enhance integration of the audit of the financial statements with
the audit of internal control over financial reporting, resulting in more
effective audits
● Would integrate the auditor’s current responsibilities for considering
fraud during the audit
● Would serve as an improved foundation for future standard-setting
● Reflect the Board’s effort to reduce unnecessary differences with the
risk assessment standards of other auditing standard-setters
83
Download