US 500-12 US AAM vs. DTTL AAM—A Refresher
advertisement
US 500-12 U.S. AAM vs. DTTL AAM—A Refresher © 2008 Deloitte Touche Tohmatsu Objectives Participants will refresh their knowledge on: • Applying the AICPA and the PCAOB Standards. • Utilizing the U.S. Audit Approach Manual and other guidance to locate the requirements specific to standards of the AICPA or PCAOB. • Planning an audit in accordance with the standards of the AICPA or PCAOB. • Conducting an audit of internal control over financial reporting in accordance with the standards of the AICPA or PCAOB. • Locating and using resources to support conducting an integrated audit. ©2011 Deloitte Global Services Limited 2 U.S. AAM Refresher ©2011 Deloitte Global Services Limited 3 Engagement letters • A properly executed engagement letter shall be obtained for all engagements, including all necessary signatures, before beginning significant portions of fieldwork. • The illustrative engagement letters contained in INFORM within the U.S. Technical Library shall be used when preparing an engagement letter. <U.S. Audit Approach Manual – Process - 1400.04a and 1400.04c, emphasis added> ©2011 Deloitte Global Services Limited 4 Engagement letters—which form? Which U.S. illustrative engagement letter form would be applicable for the audit of a non-accelerated filer (i.e., an issuer that is not required to have an integrated audit)? FORM 1310SP-FS, IILLUSTRATIVE FINANCIAL STATEMENT AUDIT ENGAGEMENT LETTER — PUBLIC ENTITY ©2011 Deloitte Global Services Limited 5 Engagement letters—which form? Which U.S. illustrative engagement letter form would be applicable for an integrated audit of a public entity? FORM 1310SP, IILLUSTRATIVE INTEGRATED AUDIT ENGAGEMENT LETTER — PUBLIC ENTITY ©2011 Deloitte Global Services Limited 6 Materiality If we are performing an integrated audit, is the determination of materiality different for a financial statement audit and the audit of internal control over financial reporting? No. If we are performing an integrated audit, we shall use the same materiality used to audit the financial statements in planning and performing our audit of internal control over financial reporting. <U.S. Audit Approach Manual 2210.01b, emphasis added> ©2011 Deloitte Global Services Limited 7 Materiality Benchmark • Profit before tax from continuing operations • Typically what users of the financial statements focus on Determination of Materiality • Typically 5%-10% of estimated profit before tax • Engagement partner may use professional judgment to determine use of other percentages <based on DTTL Audit Approach Manual 2210.10> ©2011 Deloitte Global Services Limited 8 Performance materiality For audits of SEC listed entities, for purposes of determining the amount to be deducted from materiality to arrive at performance materiality, we shall use the greater of the amounts determined using the iron curtain approach and the approach in U.S. AAM 2220.05. <U.S. Audit Approach Manual 2220.05b, emphasis added> ©2011 Deloitte Global Services Limited 9 Iron Curtain approach The iron curtain approach quantifies a misstatement based on the effects of correcting the misstatement existing in the balance sheet at the end of the current year, irrespective of the misstatement’s year(s) of origination. <Based on U.S. Audit Approach Manual Glossary> ©2011 Deloitte Global Services Limited 10 Rollover approach Under the rollover approach, uncorrected misstatements include those that have an impact on net income and include the current period carryover effects of misstatements identified in prior periods <U.S. Audit Approach Manual Glossary> ©2011 Deloitte Global Services Limited 11 Rollover vs. Iron Curtain example • Assume that in 20X2, Registrant A began over-accruing a liability each year by $20. • Therefore, at the end of 20X6, liabilities are overstated by $100. • The $20 annual over-accrual was not considered material to any of the individual prior period financial statements. • In 20X6, should the registrant evaluate the error in the current year as a $100 overstatement of liabilities (iron curtain approach), or as a $20 overstatement of expenses (rollover approach)? ©2011 Deloitte Global Services Limited 12 Rollover vs. Iron Curtain example 20x6 Iron Curtain 20x6 Rollover B A Overstatement of expenses $ Entry to adjust 20 $ 20 (100) (20) Understatement of expenses (as adjusted) $ (80) $ — Overstatement of liabilities $ 100 $ 100 Entry to adjust (100) (20) Overstatement of liabilities (as adjusted) $ — $ 80 Under the Iron Curtain approach, after the adjustment, entries will be correct but expenses will be understated by $80. A ©2011 Deloitte Global Services Limited 13 B Rollover vs. Iron Curtain example: Solution In 20X6, should the registrant evaluate the error in the current year as a $100 overstatement of liabilities (iron curtain approach), or as a $20 overstatement of expenses (rollover approach)? •Evaluate the errors using both approaches and adjust the Financial statements if either approach results in quantifying a misstatement that is material. •The 100 overstatement in 2006 under the iron curtain approach is material, thus the FS should be adjusted. •The 80 understatement of expenses is also material for 2006, thus prior year FS should be corrected regardless of materiality for those years. ©2011 Deloitte Global Services Limited 14 Develop overall audit strategy and audit plan for group audits―AICPA and PCAOB audits • When an entity has components, the group engagement team is required to identify material classes of transactions, account balances, and disclosures and their relevant assertions based on the consolidated financial statements <U.S. Audit Approach Manual G860.01b and 2250.02a> • The group engagement team is required to determine the extent to which audit procedures should be performed at selected components to obtain sufficient appropriate audit evidence to obtain reasonable assurance about whether the group financial statements are free of material misstatement. Note: This includes determining the components at which to perform audit procedures, as well as the nature, timing, and extent of the procedures to be performed at those individual components. • In determining the components at which to perform audit procedures, the group engagement team is required to assess the risks of material misstatement to the group financial statements associated with the component and correlate the amount of audit attention devoted to the component with the degree of risk of material misstatement associated with that component. <U.S. Audit Approach Manual G860.01c> ©2011 Deloitte Global Services Limited 15 Develop overall audit strategy and audit plan for group audits―AICPA and PCAOB audits Consider these factors when assessing the risks of material misstatement associated with a particular component and the determination of the necessary audit procedures: •The nature and amount of assets, liabilities, and transactions executed at the component •The materiality of the component •The risks associated with the component that present a reasonable possibility of material misstatement to the group financial statements •Whether the risks of material misstatement associated with the component apply to other components such that, in combination, they present a reasonable possibility of material misstatements to the group financial statements •The degree of centralization of records or information processing •The effectiveness of the control environment, particularly with respect to management’s control over the exercise of authority delegated to others and its ability to effectively supervise activities at the component •The frequency, timing, and scope of monitoring activities by the entity or others at the component •Whether significant changes have occurred during the period under audit •The length of time since a particular component was last selected and the results of the audit procedures performed. <U.S. Audit Approach Manual G860.01d> ©2011 Deloitte Global Services Limited 16 Scope the group audit―AICPA and PCAOB audits Determine whether there is a reasonable possibility of material misstatement in the residual balance of a consolidated material balance •In order to determine whether our audit plan is sufficient, it is important to evaluate whether our plan will allow us to conclude that we have obtained sufficient appropriate audit evidence to obtain reasonable assurance about whether the group financial statements are free of material misstatement. •As such, the group engagement team is required to evaluate whether the portion of each material balance at the group level* for which no substantive procedures are planned at the group or component level (i.e., the “residual balance” of the material balance at the group level) presents a reasonable possibility of material misstatement to the group financial statements. *Material balances at the group level include income statement and balance sheet accounts that are material to the group financial statements, considering both quantitative and qualitative factors <U.S. Audit Approach ©2011 Deloitte Global Services Limited Manual G860.02g> 17 Scope the group audit―AICPA and PCAOB audits Example: The group engagement team’s planned scope is as follows “Horizontal scoping” : Subjected to Substantive Procedures in the CY Residual Balance Cash 79% 21% Accounts Receivable 70% 30% Other Current Assets 77% 23% Goodwill 100% 0 Significant Components Total Balance at Significant Components % of balance tested at significant components Residual Balance - Consolidated Material Account Balances U.S. 3 EMEA 1 EMEA 3 APAC Total % Remaining Assets Cash $9,180,733 79% $492,000 $264,000 Accounts Receivable 6,073,946 70% 800,000 800,000 Other Current Assets 630,000 77% 50,000 40,000 20,970,022 100% Goodwill ©2011 Deloitte Global Services Limited $700,000 100,000 $980,820 $2,436,820 21% 1,000,000 2,600,000 30% 190,000 23% 0% 18 Scope the group audit―AICPA and PCAOB audits Determine whether there is a reasonable possibility of material misstatement in the residual balance of a consolidated material balance (continued) Considerations Considerations (AS (AS 9.12 9.12 and and G860.01d): G860.01d): ••The The nature nature and and amount amount of of assets, assets, liabilities liabilities and and transactions transactions executed executed at at the the component component ••The The materiality materiality of of the the component component ••The The risks risks associated associated with with the the component component that that present present aa reasonable reasonable possibility possibility of of material material misstatement misstatement to to the the group group financial financial statements statements ••Whether Whether the the risks risks of of material material misstatement misstatement associated associated with with the the component component apply apply to to other other components components such such that, that, in in combination, combination, they they present present aa reasonable reasonable possibility possibility of of material material misstatement misstatement to to the the group group financial financial statements statements ••The The degree degree of of centralization centralization of of records records or or information information processing processing ••The The effectiveness effectiveness of of the the control control environment environment ••The The frequency, frequency, timing, timing, and and scope scope of of monitoring monitoring activities activities ••Whether Whether significant significant changes changes have have occurred occurred during during the the period period under under audit audit ••The The length length of of time time since since aa particular particular component component was was last last selected selected and and the the results results of of the the audit audit procedures procedures performed. performed. ©2011 Deloitte Global Services Limited 19 Scope the group audit―AICPA and PCAOB audits Determine Whether there is a Reasonable Possibility of Material Misstatement in the Residual Balance of a Consolidated Material Balance If, after performing the analysis on the preceding slides, the group engagement team determines that a reasonable possibility of material misstatement to the group financial statements exists in the residual balance of one or more material balances at the group level, the group engagement team is required to modify the audit plan accordingly. <U.S. Audit Approach ©2011 Deloitte Global Services Limited Manual G860.02h> 20 Communicate with component auditors―PCAOB audits The ISAs require the group engagement team to request the component auditor to communicate matters relevant to the group engagement team’s conclusion with regard to the group audit . <U.S. Audit Approach Manual G885.06> The standards of the PCAOB have specific requirements on the documentation that must be obtained, reviewed, and retained by the group engagement team related to the work performed by the component auditors. Some of this documentation may have been obtained in connection with complying with U.S. AAM G885.06. (See next slide for detail listing) <U.S. Audit Approach Manual G885.06b> The standards of the PCAOB, also require the group engagement team to determine that the component auditors' audit documentation is prepared and retained in compliance with the standards of the PCAOB. <U.S. Audit Approach Manual G885.07ab> ©2011 Deloitte Global Services Limited 21 Communicate with component auditors―PCAOB audits PCAOB AS 3.19 and PCAOB AU 543.12 require that the following be obtained, reviewed, and retained by the group engagement team: •An audit summary memorandum, including all cross-referenced supporting working papers relating to significant matters and significant documentation matters •A list of significant risks, the component auditors' response, and the results of the component auditors' related procedures •Sufficient information relating to any significant matters that are inconsistent with or contradict the final conclusions •Any findings affecting the consolidating or combining of accounts in the consolidated financial statements •Sufficient information to enable the office issuing the audit report to agree or to reconcile the financial statement amounts to the information underlying the consolidated financial statements •A schedule of accumulated misstatements, including a description of the nature and cause of each accumulated misstatement, and an evaluation of uncorrected misstatements, including the quantitative and qualitative factors the component auditor considered to be relevant to the evaluation •All significant deficiencies and material weaknesses in internal control over financial reporting, including a clear distinction between those categories •Letters of representations from management •All matters to be communicated to those charged with governance. <U.S. Audit Approach Manual G885.06b>: ©2011 Deloitte Global Services Limited 22 Information produced by the entity When using information produced by the entity we shall evaluate whether the information is sufficiently reliable for our purposes, including as necessary in the circumstances (1)Obtaining audit evidence about the accuracy and completeness of the information, and (2)Evaluating whether the information is sufficiently precise and detailed for our purposes. <U.S. Audit Approach Manual G510.11> ©2011 Deloitte Global Services Limited 23 Reliance on information produced by the entity When information produced by the entity is used by us to perform audit procedures, we should obtain audit evidence about the completeness and accuracy of the information ‒ Controls over preparation and maintenance of information produced by the entity include the following elements: • Controls over the accuracy and completeness of the source data • Controls over the creation and modification of the applicable report logic and parameters. ‒ Controls over the accuracy and completeness of the source data may be addressed by our tests of controls of the related classes of transactions, account balances, and disclosures. Additional testing of general IT controls may provide audit evidence that the program and data sources are protected from unauthorized access or changes. <Based on U.S. Audit Approach Manual G510.13-13b> ©2011 Deloitte Global Services Limited 24 Illustrative example 1 Information produced by the entity is tested through typical substantive procedures The engagement team is evaluating the following control: The assistant controller reviews an Accounts Receivable (AR) Aging Report on a monthly basis in determining the appropriateness of the reserve for bad debt. The AR Aging report is a standard report (non-customized) generated out of the SAP ERP application. The following procedures were performed by the engagement team during their substantive testing of AR. •Foot and crossfoot aging report (Accuracy); •Agree Total Aging Balance to G/L (Completeness); •Selected a sample of A/R confirms and traced them into the Aging Report (Accuracy); AND •Determine appropriateness of aging for a sample of line items in the Aging Report (Accuracy – Aging) ©2011 Deloitte Global Services Limited 25 Illustrative example 2 Information produced by the entity is used to perform a control The engagement team is evaluating the following control: The Assistant Controller reviews an ERP report that identifies the number of units sold by SKU and units in ending inventory by SKU to compute the number of months sales on hand. This information is then used to evaluate the inventory valuation. Question #1 – •Controls over the accuracy and completeness of the source data are addressed by our tests of controls of the sales and inventory systems, including the proper SKU. (Note: When designing control and substantive procedures, consider the IPE that will be utilized and design control or substantive tests to incorporate appropriate testing related to the proper entry of SKU upon sales to increase efficiencies and eliminate the need for additional samples.) Question #2 – •Select X items from (1) the sales journal and perpetual inventory and trace back to bill of ladings or production data and (2) the bill of lading or production records and trace to the source data. Alternatively, consider integrating this testing into the detail tests of sales and inventory (i.e., use the same samples for both purposes). ©2011 Deloitte Global Services Limited 26 Illustrative example 2 (continued) Year 1 – Approach •Source Data: Test the accuracy and completeness of source data through testing controls over the sales and inventory systems, including entry of SKU when a sale occurs. •Report Logic: Test the report directly to determine whether the report is being appropriately created by: • • • Reconciling sales and inventory amounts to sales journal and perpetual inventory. Select X items from the number of units sold and the units in ending inventory columns of the report and trace back to the source data by SKU (e.g., the sales journal or perpetual inventory). Foot and cross-foot report totals and recalculate Year 2 – Approach •Source Data: Same as Year 1 approach •Report Logic: • • Carry forward a summary of direct testing of the report logic performed in the previous year, including a description of the report, how it was tested, and the conclusions we reached. Obtain evidence in the change management system that validates that the source code underlying the report has not been changed since it was previously tested by us. ©2011 Deloitte Global Services Limited 27 Information produced by the entity―FAQs Information produced by the entity (IPE)―FAQs includes: • FAQs on the requirements and guidance in U.S. AAM G510 • Illustrative testing approaches by IPE type • Illustrative testing approaches for certain IPE fact patterns ©2011 Deloitte Global Services Limited 28 Access the IPE―FAQs 1. Deloitte Technical Library 2. Deloitte Policies and Guidance 3. U.S. Guides, Practice Aids, and FAQs for Auditors 4. Audit Process ©2011 Deloitte Global Services Limited 29 Nature of tests of controls Inquiry Observation Least Evidence Inspection Reperformance Most Evidence Some types of tests, by their nature, produce greater evidence of the effectiveness of controls than other tests. ©2011 Deloitte Global Services Limited 30 Timing for tests of controls ©2011 Deloitte Global Services Limited 31 Illustrative example ©2011 Deloitte Global Services Limited 32 Figure 4200.1 Nature of Control Manual Manual Manual Manual Manual Manual Frequency of Performance of the Control Many times per day Daily Weekly Monthly Quarterly Annually Number of Selections Control Addresses a Significant Risk No Deviations Planned Post-Change Pre-Change 45 25 25 8 3 2 1 15 5 2 1 1 We may use professional judgment to determine that larger sample sizes may be appropriate <U.S. Audit Approach Manual 4200.23> Effective for all audits for periods beginning on or after December 15, 2010. ©2011 Deloitte Global Services Limited 33 Figure 4200.2 ©2011 Deloitte Global Services Limited 34 OE testing strategy thought process Risks Identified? Control Environment Risk Assessment Significant Risk Normal risk Where can we leverage knowledge obtained from prior year audits? Where do we think we need to get or are already getting our own independent evidence? Where can we leverage use of work of others? e.g., Lower risk, No significant changes e.g., Higher risk, observations, dual purpose tests e.g., Competent, objective evidence Monitoring Information & Communication General IT Controls Business Cycles Options: • • • • ©2011 Deloitte Global Services Limited PYK Independent testing UWO Combination 35 Deviations and deficiencies A deviation (or an exception) is a condition that exists if we identify circumstances that indicate that a control is not being performed in the manner described by the entity. A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. • A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. • A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. ©2011 Deloitte Global Services Limited 36 Considerations when evaluating deviations Deviation from control Specific inquiries To determine • The tests of controls that have been performed provide an appropriate basis for reliance on the controls • Additional tests of controls are necessary • The potential risks of misstatement need to be addressed using substantive procedures. <based on US Audit Approach Manual 4300.05> ©2011 Deloitte Global Services Limited 37 Ineffective general IT controls Nature and significance Likelihood of increased risk Cause and frequency Relates to material COTABD? ©2011 Deloitte Global Services Limited Pervasiveness Assessing impact of Ineffective general IT controls Complexity of environment Proximity to applications and data 38 General IT controls • General IT controls are ordinarily not designed to address risks of material misstatement at the assertion level. Instead, general IT controls address risks arising from IT that may affect the continued effective operation of automated application controls and the reliability of information produced by the entity. • Although ineffective general IT controls do not by themselves cause misstatements, they may cause application controls to operate improperly, thereby allowing misstatements to occur and not to be detected. • General IT controls are assessed in relation to the associated risk arising from IT and their effect on applications and data that become part of the Financial Statements. ©2011 Deloitte Global Services Limited 39 Concluding on an audit of ICFR Objective Express opinion on effectiveness of ICFR If material weaknesses exist, ICFR is not effective <AS 5 paragraph 2>. Auditors obtain evidence about whether material weaknesses exist at date of management’s assessment. Therefore we evaluate severity of any identified deficiency(s) to assess whether they represent a material weakness. ©2011 Deloitte Global Services Limited 40 Considerations when evaluating deficiencies Circumstances and reasons for deviation Effect on our test of OE of controls Impact statistically if using attribute sampling Considerations Qualitative factors affecting the likelihood that a misstatement could occur Management’s actions ©2011 Deloitte Global Services Limited 41 Questions on other areas of differences between US AAM and DTTL AAM 1.When performing an integrated audit, are we required to test the operating effectiveness of controls in each of the five components? 2.Could a risk of material misstatement for an assertion be related to one or a combination of relevant controls? 3.Can an engagement team perform their testing of a control subsequent to period-end? 4.For integrated audits, if an entity adopts new controls during the year, do we need to test the controls being replaced? 5.What are the required control procedures to be performed on equity method investments? ©2011 Deloitte Global Services Limited 42 Answers 1.Yes 2.Yes 3.Yes 4.Yes 5.The selection of accounting methods for its investments. The recognition of equity method earnings and losses. The audit ordinarily would not extend to controls at the equity method investee. ©2011 Deloitte Global Services Limited 43 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. This publication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and its and their affiliates. None of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing’s affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication. © 2008 Deloitte Touche Tohmatsu
