Understanding SAS Nos. 104 to 111 Issued March 2006 (testable on CPA starting July/August 2007) Risk Assessment Must of the following is quoted or paraphrased from the following sources: Audit Risk Alerts: Understanding the New Auditing Standards Related to Risk Assessment, AICPA: New York, 2006 AICPA Audit Guide: Assessing and Responding to Audit Risk in a Financial Statement Audit, AICPA: New York, 2006 Introduction: Eight new standards provide guidance on applying the audit risk model in the planning and performance of a financial statement audit. Effective for periods beginning after December 15, 2006 and earlier application is permitted. Applies to audit of _____________ held companies and other _______________. Basic requirements: 1. A more in-depth understanding of your audit client and its environment, including it internal control. This knowledge will be used to identify the risk of material misstatement in the financial statements (whether caused by error or fraud) and what the client is doing to mitigate them. 2. A more rigorous assessment of the risk of material misstatement of the financial statements based on that understanding. 3. Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks. Key provisions: SAS No. 104, Amendment to SAS No. 1, Codification of Auditing Standards and Procedures (“Due Professional Care in the Performance of Work”) defines reasonable assurance as a “high level of assurance.” SAS No. 105, Amendment to Statement on Auditing Standards No. 95, GAAS expands the scope of the understanding that the auditor must obtain in the second standard of field work from “internal control” to “the entity and its environment including its internal control.” The quality and depth of the understanding to be obtained is emphasized by amending its purpose from “planning the audit” to “assessing the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures.” SAS No. 106, Audit Evidence defines audit evidence as “all the information used by the auditor in arriving at the conclusions on which the audit opinion is based.” recatergorizes assertions by classes of transactions, account balances, and presentation and disclosure; expands the guidance related to presentation and 1 disclosure; and describes how the auditor uses relevant assertions to assess risk and design audit procedures. defines relevant assertions as those assertions that have a meaningful bearing on whether the account is fairly stated. provides additional guidance on the reliability of various kinds of audit evidence. identifies “risk assessment procedures” as audit procedures performed on all audits to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement at the financial statement and relevant assertions levels. provides that evidence obtained by performing risk assessment procedures, as well as that obtained by performing tests of controls and substantive procedures, is part of the evidence that auditor obtains to draw reasonable conclusions on which to base the audit opinion, although such evidence is not sufficient in and of itself to support the audit opinion. describes the types of audit procedures that the auditor may use alone or in combination as risk assessment procedures, tests of controls, or substantive procedures, depending on the context in which they are applied by the auditor. includes guidance on the uses and limitations of inquiry as an audit procedure. SAS No. 107, Audit Risk and Materiality in Conducting an Audit The auditor must consider audit risk and must determine a materiality level for the financial statements taken as a whole for the purpose of 1. Determining the extent and nature of risk assessment procedures. 2. Identifying and assessing the risk of material misstatement. 3. Determining the nature, timing, and extent of further audit procedures. 4. Evaluating whether the financial statements taken as a whole are presented fairly, in conformity with generally accepted accounting principles. Combined assessment of inherent and control risks is termed the risk if material misstatement. The auditor should assess the risk of material misstatement as a basis for further audit procedures, Although that risk assessment is a judgment rather than a precise measurement of risk, the auditor should have an appropriate basis for that assessment. Assessed risks and the basis for those assessments should be documented The auditor must accumulate all known and likely misstatements identified during the audit, other that those that the auditor believes are trivial, and communicate them to the appropriate level of management. The auditor should request management to respond appropriately when misstatements (known or likely) are identified during the audit. SAS No. 108, Planning and Supervision Provides guidance on: appointment of the independent auditor. establishing an understanding with the client. preliminary engagement activities. 2 the overall audit strategy. the audit plan. determining the extent of involvement of professional possessing specialized skills. using a professional possessing information technology (IT) skills to understand the effect of IT on the audit. additional considerations in initial audit engagements. supervision of assistants. SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement describes audit procedures that the auditor should perform to obtain the understanding of the entity and its environment, including its internal control. The audit team should discuss the susceptibility of the entity’s financial statements to material misstatement. The purpose of obtaining an understanding of the entity and its environment, including its internal control, is to identify and assess “the risk of material misstatement” and design and perform further audit procedures responsive to the assessed risk. states the auditor should assess the risk of material misstatement at both the financial statement and relevant assertion levels. provides directions on how to evaluate the design of the entity’s controls and determine whether the controls are adequate and have been implemented. directs the auditor to consider whether any of the assessed risks are significant risks that require special audit consideration or risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. provides extensive guidance on the matters that should be documented. SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained provides guidance on determining overall responses to address the risk of material misstatement at the financial statement level and the nature of those responses. Further audit procedures, which may include tests of controls, or substantive procedures should be responsive to the assessed risk of material misstatement at the relevant assertion level. provides guidance on matters the auditor should consider in determining the nature, timing, and extent of such audit procedures. SAS No. 111, Amendment to SAS No. 39, Audit Sampling provides guidance relating to the auditor’s judgment about establishing tolerable misstatement for a specific audit procedure and on the application of sampling to tests of controls. 3 Fundamental Concepts: I. Reasonable assurance – high, but not absolute – must obtain sufficient audit evidence to reduce audit risk (failure to detect a material misstatement) to a low level II. Audit risk (AR) and risk of material misstatement A. Audit risk is a function of two components o Risk of material misstatement (RMM), risk that an account or disclosure contains a material misstatement. Combination of inherent and control risk. o Detection risk (DR), risk that you will not detect a misstatement in an account or disclosure. B. Reducing audit risk to a low level requires you to: o Assess the risk of material misstatement. o Based on the assessment, design and perform further audit procedures to reduce audit risk to an appropriate low level. C. Assessing the Risk of Material Misstatement o Factors affecting RMM: ¾ Client’s industry, its regulatory environment, and other external factors ¾ Nature of the entity, for example, its operations, ownership, and financing ¾ Client’s objectives, strategies, and related business risks ¾ Management’s measures and review of company’s financial performance ¾ Client’s internal control, which includes selection and application of accounting policies o RMM may reside at financial statement level or assertion level ¾ Financial statement-level risks potentially affect many different assertions ¾ Assertion-level risks are limited to a single assertion o Response to each RMM level ¾ Financial statement-level risks require an overall response, such as providing more supervision to the engagement team or incorporating additional elements of unpredictability in the selection of your audit procedures. ¾ Assertion-level risks are addressed by the nature, timing, and extent of further audit procedures. o Risks of Material Misstatement at the Assertion Level. ¾ Inherent risk (IR), susceptibility of an assertion to a material misstatement, assuming no related internal controls. ¾ Control risk (CR), risk that a material misstatement could occur in an assertion and will not be prevented or detected on a timely basis by the client’s internal control. 4 D. Detection Risk – risk of not detecting a material misstatement that exists in an assertion. A function of the nature, timing, and effectiveness of substantive audit procedures and how you apply them. o Financial Statement level risks. May call for: ¾ assigning more experienced personnel to audit team ¾ emphasizing of the application of professional skepticism ¾ providing more supervision and review of the audit work performed o Assertion-level risks responses will determine the nature, timing, and extent of your further audit procedures. Model: AR = RMM X DR There is an inverse relationship between risk of material misstatement (RMM) and detection risk (DR) at the assertion level. Which means that the greater the RMM the lesser the acceptable DR. In other words, the greater the RMM, the more reliable your substantive tests should be in the audit. III. Materiality and Tolerable Misstatement A. The Concept of Materiality – materiality is influenced by the auditor’s perception of the needs of financial statement users. B. Audit Materiality Affects: 1. The nature, timing, and extent of audit procedures 2. The evaluation of audit findings. C. Quantitative and Qualitative Considerations D. Tolerable Misstatement IV. Financial Statement Assertions A. Why Financial Statement Assertions are Important Assertions are management’s implicit or explicit representations regarding the recognition, measurement, presentation, and disclosure of information in the financial statements and related disclosures. Assertion categories: A. Classes of transactions B. Account balances C. Presentation and disclosure B. How You Use Assertions in Your Audit – Most of your tests of controls and substantive audit procedures are directed at specific assertions. I. II. V. Internal Control A. Definition and Description of Internal Control – Internal control is a process designed to provide reasonable assurance about the achievement of the entity’s objectives. Internal control helps the entity achieve its objectives by mitigating the risk of “what can go wrong” in the pursuit of its objectives. The auditor’s assessment of internal control is a consideration of whether the controls mitigate financial reporting risks. 5 B. Controls may be Pervasive to the Entity or Restricted to an Account or Assertion – Your client’s financial reporting risks (and therefore its controls) may relate to one of the following: A. To specific classes of transactions, account balances and disclosures B. More pervasively to the financial statements taken as a whole (And potentially the risk may affect many assertions.) C. Control Design – are controls capable of effectively preventing or detecting and correcting material misstatements. On every audit you should evaluate the design of internal control and determine whether controls have been implemented over all relevant assertions related to each material account balance, class of transactions, or disclosures. D. Control Operations – The operating effectiveness of controls involves the consideration of: A. How controls were applied during the audit period B. The consistency with which they were applied C. By whom they were applied VI. Information Technology A. Implications of IT on Your Understanding of Internal Control B. How the Client’s Use of IT Affects Audit Planning VII. Audit Evidence A. The Nature of Audit Evidence – Audit evidence is all the information you use to arrive at the conclusions that support your audit opinion. Audit evidence is cumulative in nature. The procedures that you perform on your audit provide audit evidence, but they are not the only source of audit evidence. To determine whether you have optained persuasive audit evidence, you should consider: ¾ The consistency of that evidence ¾ Whether the evidence was obtained from different sources or the performance of procedures that were of a different nature B. The Sufficiency and Appropriateness of Audit Evidence 1. Sufficiency of Audit Evidence – The sufficiency of audit evidence you need to support your conclusion is affected by: ¾ The risk of misstatement ¾ The quality of the audit evidence obtained 2. Appropriateness of Audit Evidence – relates to its quality. ¾ Relevance of audit evidence. The results of your audit procedures may provide audit evidence that is relevant to certain assertions but not others. ¾ Reliability of audit evidence. The reliability of audit evidence is influenced by its source and by its nature. o Audit evidence obtained directly by the auditor is more reliable than audit evidence obtained indirectly or by inference. o Audit evidence is more reliable when it exists in documentary form (whether paper, electron, or other medium). 6 o Audit evidence provided by original documents is more reliable than audit evidence provided by photocopies or facsimiles. Applying the Audit Risk Model The following is an overview of how an auditor should apply the audit risk model in practice. o Gather information about the entity and its environment, including internal control. o Understand the entity and its environment, including its internal control. o Assess the risk of material misstatement. To assess risks you will need to: • Identify the risk of material misstatement • Describe the identified risks in terms of what can go wrong in specific assertions • Consider the significance and likelihood of material misstatement for each identified risk o Design overall responses and further audit procedures (financial statement level and assertion-level). I. Information Gathering A. Information Needed About the Client and Its Environment to Identify and Assess the Risk of Material Misstatement – In general, the information you should gather about your client is that which allow you to assess the risk that specific assertions could be materially misstated. (See Table 2) B. Risk Assessment Procedures – are the audit procedures you perform to obtain an understanding of the entity and its internal control. Examples include: • Inquiries of management and others at the client • Analytical procedures • Observation and inspection It is not acceptable to simply deem control risk to be “at the maximum” without support. 1. A Mix of Procedures o Except for internal controls, not required to perform all the procedures for each of the five aspects of the client and its environment. o Should perform all the risk assessment procedures. o Inquiry alone is not sufficient in gaining an understanding of internal controls. 2. Other Procedures That Provide Relevant Information About the Client Assessing the Risk of Material Misstatement Due to Fraud (AU section 316) Other information from your acceptance/continuance process and/or experience gained on other engagements performed for the entity 7 3. Updating Information From Prior Periods – can use information from prior periods as long as changes are considered. II. Gaining an Understanding of the Client and Its Environment Must synthesize the information gathered. A. Evaluating the Design of Internal Control – A sufficient understanding of internal control is one that allows you to evaluate the design of internal control and to determine whether controls have been placed in operation. 1. Requirements for Evaluating Control Design - Sufficient depth to assess the risks of material misstatement o the financial statements, whether due to error or fraud - Sufficient depth to design the nature, timing , and extent of further audit procedures - You should evaluate the design of controls that are relevant to the audit and determine whether the control – either individually or in combination – is capable of effectively preventing or detecting and correcting material misstatements. - You should determine that the control has been implemented, that is, that the control exists and that the entity is using it. Even if your initial audit strategy contemplates performing only substantive procedures for all relevant assertions related to material transactions, account balances, and disclosures, you still need to evaluate the design of your client’s internal control. 2. How to Evaluate Control Design – Consider: - Whether control objectives that are specific to the unique circumstances of the client have been considered for all relevant assertions for all significant accounts and disclosures - Whether the control or combination of controls would – if operated as designed – meet the control objective - Whether all controls necessary to meet the control objectives are in place B. Determining If the Control Has Been Implemented – The determination of whether a control has been put in place and is in use involves obtaining evidence about whether those individuals responsible for performing the prescribed procedures have: ¾ An awareness of the existence of the procedure and their responsibility for its performance ¾ A working knowledge of how the procedure should be performed ¾ Distinguishing Between Evaluation of Design and Tests of Controls. Required to understand design and implementation on every audit Testing the operating effectiveness is necessary only when controls are expected to provide sufficient audit evidence ¾ Evaluating Design and Implementation in the Absence of Control Documentation – procedures limited to inquiry and observation 8 C. Discussion Among the Audit Team – should do to improve understanding of client and potential for material misstatement III. Assessing the Risk of Material Misstatement A. Considerations at the Financial Statement Level. To make this assessment you should: 1. Identify risks throughout the process of obtaining an understanding of the entity, its internal control, and its environment. 2. Relate the identified risk to what can go wrong at the relevant assertion level. 3. Consider whether the risks could result in a material misstatement to the financial statements. 4. Consider the likelihood that the risks could result in a material misstatement of the financial statement. Financial Statement-Level and Assertion-Level Risks. How to Consider Internal Control When Assessing Risks. Identification of Significant Risks – audit procedures should include (but not be limited to): - Obtaining an understanding of internal control, including relevant control activities, related specifically to those significant risks. - If you plan to rely on the operating effectiveness of controls related to significant risks, testing the operating effectiveness of those controls in the current period. That is, using evidence about operating effectiveness that you obtained in prior periods is not appropriate. - Substantive procedures specifically designed to address the significant risk. B. Considerations at the Assertion Level AR = RMM X DR IV. Determining Materiality and Tolerable Misstatement – usually a percentage of a benchmark. Can be adjusted during the course of the audit. V. Responding to Assessed Risks A. Linking Assessed Risks to Further Audit Procedures 1. The risk assessment process culminates with your articulation of the account balances, classes of transactions, or disclosures where material misstatements are most likely to occur. 2. Forms basis for designing and performing further audit procedures. 3. Two dimensions to risk assessment – direction and amplitude. 4. Amplitude can be either potential significance and likelihood of occurring B. Further Audit Procedures 1. Need to support audit opinion 2. Consists of either tests of controls or substantive tests 3. Could be a combination of both types of tests 4. Not precluded from a substantive approach – but must document why it’s appropriate 9 5. Respond to assessed RMM in determining nature, timing, and extent of audit procedures 6. Must document linkage between procedures and assessed RMM 7. Previous audits can give you ideas, but current year analysis of RMM should be the basis for audit procedures VI. Evaluating Audit Findings Your consideration and aggregation of misstatements should include both of the following: ¾ Known misstatements, which are the amount of misstatements specifically identified ¾ Likely misstatements, which include (1) projected misstatements in the account balances or classes of transactions that you have examined and (2) differences between management’s and the auditor’s judgments concerning accounting estimates that the auditor considers unreasonable or inappropriate Before considering the aggregate effect of identified uncorrected misstatements, the auditor should consider each misstatement separately to evaluate: ¾ Its effect in relation to the relevant individual classes of transactions, account balances, or disclosures, including qualitative considerations. ¾ Whether, in considering the effect of the individual misstatement on the financial statements taken as a whole, it is appropriate to offset misstatements. ¾ The effect of misstatements related to prior periods. In prior periods, misstatements may not have been corrected by the entity because they did not cause the financial statements for those periods to be materially misstated. Those misstatements might also affect the current period’s financial statements. Evaluating Whether the Financial Statements Taken as a Whole Are Free of Material Misstatement ¾ Financial statements taken as a whole should be free of material misstatement ¾ Consider the evaluation of the uncorrected (known and likely) misstatements you identified ¾ Relativity matters across entities and time ¾ Materially misstated – give management chance to correct, else adjust audit report ¾ Not materially misstated – consider what you may have missed (that is, as the aggregate misstatement approaches materiality the more likely the financial statements are misstated) 10 VII. The Iterative Nature of Auditing ¾ Audit is cumulative and iterative process ¾ Audit evidence gathered may lead to modification of nature, timing, and extent of other procedures ¾ Pay attention to the effect of new information VIII. Audit Documentation A. General Documentation Requirements – clear understanding of the work performed, the source of the information, and the conclusions reached. B. Specific Documentation Requirements – SASs require the following matters be documented: 1. The levels of materiality and tolerable misstatement, including any changes thereto, used in the audit and the basis on which those levels were determined. 2. The discussion among the audit tem regarding the susceptibility of the entity’s financial statements to material misstatement due to error or fraud, including how and when the discussion occurred, the subject matter discussed, the audit team members who participated, and significant decisions reached concerning planned responses at the financial statement and relevant assertion levels. 3. Key elements of the understanding obtained regarding each of the aspects of the entity and its environment, including each of the components of internal control, to assess the risks of material misstatement of the financial statements, the source of information from which the understanding was obtained, and the risk assessment procedures. 4. The assessment of the risks of material misstatement both at the financial statement level and at the relevant assertion level and the basis for the assessment. 5. The significant risks identified and related controls evaluated. 6. The overall responses to address the assessed risks of misstatement at the financial statement level. 7. The nature, timing, and extent of the further audit procedures. 8. The linkage of those procedures with the assessed risks at the relevant assertion level. 9. The results of the audit procedures. 10. The conclusions reached with regard to the use in the current audit of audit evidence about the operating effectiveness of controls that was obtained in a prior audit. 11. A summary of uncorrected misstatements, other than those that are trivial, related to known and likely misstatements. 12. Your conclusion about whether uncorrected misstatements, individually or in aggregate, do or do not cause the financial statements to be materially misstated, and the basis for the conclusion. 11 Uncorrected misstatements should be documented in a manner that allows the auditor to: 1. Separately consider the effects of know and likely misstatements, including uncorrected misstatements identified in prior periods. 2. Consider the aggregate effect of misstatements on the financial statements. 3. Consider the qualitative factors that are relevant to the auditor’s consideration of whether misstatements are material. 12 Table 1: CATERGORIES OF ASSERTIONS Description of Assertions Classes of Transactions and Events During the Period Occurrence/Existence Transactions and events that have been recorded have occurred and pertain to the entity. Rights and Obligations Completeness Accuracy/Valuation and Allocation Cut-off Classification and Understandability All transactions and events that should have been recorded have been recorded. Amounts and other data relating to recorded transactions and events have been recorded appropriately. Transactions and events have been recorded in the proper accounts. Transactions and events have been recorded in the proper accounts. Account Balances at the End of the Period Assets, liabilities, and equity interests exist. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity. All assets, liabilities, and equity interests that should have been recorded have been recorded. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are recorded appropriately. Presentation and Disclosure Discloser events and transactions have occurred and pertain to the entity. All disclosures that should have been included in the financial statements have been included. Financial and other information is disclosed fairly and at appropriate amounts. Financial information is appropriately presented and described and information in disclosures is expressed clearly. 13 Table 2: Understanding the Client and Its Environment On every audit you are required to gather information and obtain an understanding of the client and its environment. This understanding consists of the following aspects. • External factors, including: o Industry factors such as the competitive environment, supplier and customer relationship, and technological developments. o The regulatory environment, which includes relevant accounting pronouncements, the legal and political environment, and environmental requirements that affect the industry. o Other maters such as general economic conditions. • Nature of the client, which includes its operations its ownership, governance, the types of investments it makes and plans to make, how it is financed, and how it is structured. • Objectives and strategies and related business risks, which may result in material misstatement of the financial statements taken as a whole or individual assertions. • Measurement and review of the client’s financial performance, which tells you which aspects of the client’s performance that management considers to be important. • Internal control, which consists of five components: the control environment, risk assessment, information and communication ,control activities and monitoring. These components may operate at the entity level or the individual transaction level. To obtain an appropriate understanding of internal control will require you to understand and evaluate the design of all five components of internal control and to determine whether the controls are in use by the client. 14 SAS No. 112 Communicating Internal Control Related Matters Identified in an Audit Issue Date: Effective Date: May 2006 Periods ending on or after December 15, 2006 The Auditing Standards Board has issued SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, which replace s SAS No. 60, Communication of Internal Control Related Matters Noted in an Audit. This SAS established standards and provides guidance on communicating matters related to an entity’s internal control over financial reporting identified in an audit of financial statements. It is applicable whenever an auditor expresses an opinion on financial statements (including a disclaimer of opinion). Among other things, the SAS: ¾ Requires the auditor to communicate control deficiencies that are significant deficiencies or material weaknesses in internal control. o A significant deficiency is a control, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements t hat is more than inconsequential will not be prevented or detected. o A material weakness is a significant deficiency, or combination of control deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. These definitions are consistent with PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With and Audit of Financial Statements. The term reportable condition is no longer used. ¾ Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements and requires that the auditor conclude whether prudent officials, having knowledge of the same facts and circumstances, would agree with the auditor’s classification of the deficiency. ¾ Identifies areas in which control deficiencies ordinarily are to be evaluated as at least significant deficiencies, as well as indicators that control deficiencies should be regarded as at least a significant deficiency and a strong indicator of a material weakness. ¾ Requires the auditor to communicate significant deficiencies and material weaknesses identified in the audit, in writing, to management and those charged with governance. This includes the significant deficiencies and material weaknesses that were communicated in previous audits if they have 15 not yet been remediated. The SAS recognizes hat the body charged with governance may take different forms in different entities. for example, a board of directors, a committee of the board of directors (for example, an audit or legislative oversight committee), a committee of management (for example , a finance, budget, or governmental agency executive committee), partners, equivalent person, or some combination of these parties. It also recognizes that in some smaller entities, management and those charged with governance may be the same people, for example, the owner in an ownermanaged entity or a sole trustee. ¾ Indicates that the communication must be in writing and is best made by the report release date (the date on which the auditor grants permission for the client to use the auditor’s report in connection with the financial statements), but should be made no later than 60 days following the report release date. ¾ Contains illustrative written communications to management and those charges with governance. Source: AICPA.org 16 STATEMENT ON AUDITING STANDARDS No. 113 OMNIBUS 2006 Issue Date: November 2006 Effective Date: The amendments in paragraphs 1 through 5 of this SAS are effective for audits of financial statements for periods beginning on or after December 15, 2006. Earlier application is permitted. The amendments in paragraphs 7 through 14 of this SAS are effective for audits of financial statements for periods ending on or after December 15, 2006. Earlier application is permitted. Product Number: 060708 SUMMARY The Auditing Standards Board (ASB) has issued Statement on Auditing Standards (SAS) No. 113, Omnibus 2006. This SAS amends the following SASs: • SAS No. 95, Generally Accepted Auditing Standards; • SAS No. 99, Consideration of Fraud in a Financial Statement Audit; • SAS No. 101, Auditing Fair Value Measurements and Disclosures; • SAS No. 59, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern; • SAS No. 57, Auditing Accounting Estimates; • “Subsequent Events” of SAS No. 1, Codification of Auditing Standards and Procedures; and • SAS No. 85, Management Representations. SAS No. 113: • Revises the terminology used in the ten standards in SAS No. 95 to reflect the terminology used in SAS No. 102, Defining Professional Requirements in Statements on Auditing Standards. • Adds a footnote to the headings prior to paragraphs 35 and 46 in SAS No. 99 to provide a clear link between the auditor’s consideration of fraud and the auditor’s assessment of risk and the auditor’s procedures in response to those assessed risks. • Replaces, throughout the SASs, the term “completion of fieldwork” with the term “date of the auditor’s report.” • Changes the convention for dating the representation letter by requiring that it be dated as of the date of the auditor’s report. Source: AICPA.org 17 Statement of Auditing Standards No. 114, The Auditor’s Communication With Those Charged With Governance __________________________________________________________________ Issue Date: December 19, 2006 Effective Date: This SAS is effective for periods beginning on or after December 15, 2006. Early application is permitted. Product Number: 060709 Executive Summary Statement on Auditing Standards (SAS) No. 114 supersedes SAS No. 61, Communication With Audit Committees, as amended. This SAS establishes standards and provides guidance to an auditor on matters to be communicated with those charged with governance. In the wake of well-publicized audit failures and emerging best practices in corporate governance, expectations have increased for auditors to communicate openly and candidly with those charged with governance regarding significant findings and issues related to the audit. The Auditing Standards Board (ASB) believes SAS is responsive to the issues and expectations in the U.S. nonissuer community and will improve audit practice and serve the public interest. In developing this SAS, the ASB considered the communication requirements of the Proposed International Standard on Auditing 260 (Revised), The Auditor’s Communication with Those Charged with Governance, which was issued by the International Auditing and Assurance Standards Board in March 2005. SAS No. 61 established communication requirements applicable to entities that either have an audit committee or that have otherwise formally designated oversight of the financial reporting process to a group equivalent to an audit committee. SAS No. 114 broadens the applicability of the SAS to audits of the financial statements of all nonissuers and establishes a requirement for the auditor to communicate with those charged with governance certain significant matters related to the audit. The SAS uses the term those charged with governance to refer to those with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity, including overseeing the entity’s financial reporting process. It uses the term management to refer to those who are responsible for achieving the objectives of the enterprise and who have the authority to establish policies and make decisions by which those objectives are to be pursued. Management is responsible for the entity’s financial statements. The SAS identifies specific matters to be communicated, many of which are generally consistent with the requirements in SAS No. 61. However, the SAS includes certain additional matters to be communicated and provides additional guidance on the communication process. In particular, the SAS: ¾ Describes the principal purposes of communication with those charged with governance and stresses the importance of effective two-way communication. ¾ Requires the auditor to determine the appropriate person(s) in the entity’s governance structure with whom to communicate particular matters. That person may vary depending on the nature of the matter to be communicated. ¾ Recognizes the diversity in governance structures among entities (including the existence of audit committees or other subgroups charged with governance) and encourages the use of professional judgment in deciding with whom to communicate particular matters. 18 ¾ Recognizes the unique considerations for communicating with those charged with governance when all of those charged with governance are involved in managing the entity, which may be the case with some small entities. ¾ Adds requirements to communicate: o An overview of the planned scope and timing of the audit. o Representations the auditor is requesting from management. ¾ Provides additional guidance on the communication process, including the forms and timing of communication. Significant findings from the audit should be in writing when, in the auditor’s profession judgment, oral communication would not be adequate. Other communications may be oral or in writing, ¾ Requires the auditor to evaluate the adequacy of the two-way communication between the auditor and those charged with governance. ¾ Establishes a requirement to document required communications with those charged with governance. Source: AICPA.org 19