Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
SAS 104-111 Teleconference
Jan. 15, 2009
Craig Funkhouser, Crowe Horwath LLP
Ken Goldmann, J.H. [email protected]
2
Today’s Program
Historical Background, Review Of Key Terms Of SAS 104-111: Craig Funkhouser, Slides 3 Through 31
Lessons For Companies: Ken Goldmann, Slides 32 Through 51
Early Experiences From Implementation Of SAS 104-111: Craig Funkhouser, Slides 52 Through 72
A Look Forward: Craig Funkhouser And Ken Goldmann, Slides 73 Through 83
4
How Did We Get Here?●
Bad publicity beginning with Enron: 2001●
Congress passes the Sarbanes-Oxley Act of 2002●
AICPA issues SAS No. 99, Consideration of Fraud in a Financial Statement Audit, effective in 2003
●
PCAOB issues Audit Standard No. 2, Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, in 2004
●
AICPA issues SAS No. 103, December 2005●
AICPA issues SAS Nos. 104 through 111, March 2006●
AICPA issues SAS No. 112, May 2006●
AICPA issues SAS No. 114, December 2006●
PCAOB issues Audit Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, 2007
5
●
Eight new auditing standards Enhance auditor performance Improve audit effectivenessEncourage auditors to focus on areas where the risk of misstatement is the greatest
●
Effective for audits of financial statements for periods beginning
on or after Dec. 15, 2006
●
SAS 103 and SAS 112 were effective for periods ending
on or after Dec. 15, 2006 and are NOT considered part of the risk assessment
standards
●
SAS 114 –
The auditor’s communication with those charged with governance is effective for periods beginning
on or after Dec. 15, 2006 and is NOT considered part of the risk assessment standards
AICPA Risk Assessment Standards
6
SAS Nos. 103, 112 And 114●
SAS No. 103, Audit DocumentationEffective for periods ending after Dec. 15, 2006Changes documentation standards, supersedes SAS No. 96Changes how auditors date their audit reports
●
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit
Effective for periods ending after Dec. 15, 2006Changes the classification of control deficienciesChanges how auditors assess severity of deficienciesChanges communication requirements
●
SAS No. 114, The Auditor’s Communication with Those Charged with
Governance
Effective for periods beginning after Dec. 15, 2006Changes “required communications,” supersedes SAS No. 61Not only for companies who maintain an audit committee
7
Overview Of Risk Assessment Standards
●
Statement on Auditing Standards (SAS) No. 104 –
Amendment to SAS No. 1, Codification of Auditing Standards and Procedures
●
SAS No. 105 –
Amendment to SAS No. 95, Generally Accepted Auditing Standards
●
SAS No. 106 –
Audit Evidence●
SAS No. 107 –
Audit Risk and Materiality in Conducting an Audit●
SAS No. 108 –
Planning and Supervision●
SAS No. 109 –
Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
●
SAS No. 110 –
Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
●
SAS No. 111 –
Amendment to SAS No. 39, Audit Sampling
8
Overview Of Risk Assessment Standards (Cont.)
These statements establish standards and provide guidance concerning:
•
The auditor’s assessment of the risks of material management (whether
caused by error or fraud) in a financial statement audit
•
The design and performance of audit procedures whose nature, timing and extent are responsive to the assessed risks
9
Overview Of Risk Assessment Standards (Cont.)The statements also establish standards and provide guidance on:
• Planning and supervision
• The nature of audit evidence, and•
Evaluating whether the audit evidence obtained affords a
reasonable basis for an opinion regarding the financial
statements under audit
10
The primary objective is to enhance auditors’ application of the
audit risk model in practice by specifying, among other things:
•
More in-depth understanding of the entity and its environment,
including its internal controls, to identify the risks of material
misstatement in the financial statements and what the entity
is doing to mitigate them
•
More rigorous assessment of the risks of material misstatement
of the financial statements, based on that understanding
•
Improved linkage between the assessed risks and the nature,
timing and extent of audit procedures performed in response to
those risks
Overview Of Risk Assessment Standards (Cont.)
11
Risk Assessment Provisions
●
The major risk assessment provisions are designed to:Expand the quality and depth of the auditor’s required understanding of the entity and its environment, including its internal controlsRequire the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtainedEliminate the “default to maximum” for control risk, which should encourage testing of controls
12
Risk Assessment Provisions (Cont.)
●
The major risk assessment provisions are designed to:Emphasize the importance of the entity’s risk assessment processStrengthen the linkage between assessed risks and the auditor’s response to those risksClarify the auditor’s ability to rely on audit evidence gathered in prior auditsStrengthen guidance for testing disclosuresClarify and expand guidance on evaluating audit findings, andExpand documentation requirements
13
SAS No. 104
●
Expands the definition of “reasonable assurance” to a high, but not absolute, level of assurance
●
Requires the auditor to plan and perform the audit to limit audit risk to a low level
14
SAS No. 105
●
Expands the scope of the understanding that the auditor must obtain in the second standard of field work from “internal control” to “the entity and its environment, including its internal control”
●
The quality and depth of the understanding to be obtained is emphasized by amending its purpose from “planning the audit” to “assessing the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures”
●
Use of generic or standard audit programs is not appropriate, since risk varies among entities being audited
15
SAS No. 106
●
Introduces the concept of “risk assessment procedures”
●
Identifies risk assessment proceduresInquiries of management and others in the entityAnalytical proceduresObservation, inspection and other audit evidence
●
Clearly states that inquiry alone is not sufficient in evaluating the design of an internal control and to determine whether it has been implemented
●
Recategorizes
assertions by classes of transactions and events, account balances, and presentation and disclosure; and describes
how the auditor uses relevant assertions to assess risk and design audit procedures
16
Financial Statement Assertions
SAS 106 identifies 13 assertions rather than five. The assertions are asfollows:
Assertions per SAS 106, paragraph. 15 Transactions Occurrence
Completeness Accuracy Cutoff Classification
Acct Balances Existence Rights & Obligations Completeness Valuation & Allocation
Presentation Occurrence & Rights & Obligations Completeness Classification & Understandability Accuracy & Valuation
No. Of Assertions 13
17
SAS No. 107
●
SAS No. 107 states that the auditor must consider audit risk and
must determine a materiality
level for the financial statements taken as a whole
●
The determination of materiality takes into account how users with the following characteristics could reasonably be expected to be
influenced in making economic decisions. Users are assumed to:
Have an appropriate business knowledge and a willingness to study the financial statementsUnderstand that financial statements are prepared and audited tolevels of materialityRecognize the uncertainties inherent (estimates, judgments, consideration of future events)Make appropriate economic decisions on the basis of information in the financial statements
18
SAS No. 107 (Cont.)
●
Audit risk consists of:The risk of material misstatement (consisting of inherent risk and control risk) – that the relevant assertions related to balances, classes or disclosures contain misstatements (whether caused by error or fraud) that could be material to the financial statements, when aggregated with misstatements in other relevant assertions related to balances, classes, or disclosures
The risk (detection risk) that the auditor will not detect such misstatements
19
SAS No. 107 (Cont.)
●
Tolerable misstatement is the maximum error in a population that
the auditor is willing to accept
When assessing the risks of material misstatements and designing and performing further audit procedures to respond to the assessed risks, the auditor should allow for the possibilitythat some misstatements of lesser amounts than the materiality levels could, in the aggregate, result in a material misstatement of the financial statements. To do so, the auditor should determine one or more levels of tolerable misstatement. Such levels of tolerable misstatement are normally lower than the materiality levels
20
SAS No. 107 (Cont.)
●
“The auditor must accumulate all known and likely misstatements identified during the audit, other than those that the auditor believes are trivial, and communicate them to the appropriate level of management” (SAS No. 107)
The auditor should request management to record adjustments needed to correct all known misstatements
When the misstatements are considered likely, the auditor should request that management examine the situation in order to identify and correct misstatements therein
21
●
SAS No. 108 provides guidance on:Appointment of the independent auditorEstablishing an understanding with the client (should be written)Preliminary engagement activitiesThe overall audit strategy (formerly “audit approach”)The audit plan (formerly “audit program”)Determining the extent of involvement of professionals possessing specialized skillsUsing a professional possessing information technology (IT) skills to understand the effect of IT on the auditAdditional considerations in initial audit engagement;Supervision of assistants
SAS No. 108
22
SAS No. 109
●
SAS No. 109 establishes requirements and provides guidance about implementing the second standard of fieldwork, as follows:
The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit proceduresThe auditor should assess the risk of material misstatement at both the financial statement and relevant assertion levelsUnder the previous standard, the primary purpose of gaining an understanding of internal control was to plan the audit
23
●
SAS No. 109 states that the audit team should discuss the susceptibility of the entity’s financial statements to material misstatement
Previous standards did not require a “brainstorming” session to discuss the risk of material misstatementsThis discussion can be held concurrently with the SAS No. 99 fraud brainstorming session, and SAS 109 requires that this discussion among the audit team members be appropriately documented
SAS No. 109 (Cont.)
24
SAS No. 110●
SAS No. 110 provides guidance on determining overall responses, and designing and performing further audit procedures, to respond to
assessed risks of material misstatements at the financial statement and relevant assertion levels. The auditor’s overall responses to address the
assessed risks of material misstatement at the financial statement level may include:
Emphasizing professional skepticism in gathering and evaluating audit evidenceAssigning more experienced personnel or those with specialized skillsProviding more supervisionIncorporating additional elements of unpredictability in the selection of further audit procedures to be performed, andMaking general changes to the nature, timing or extent of further audit procedures
25
SAS No. 110 (Cont.)
●
In designing further audit procedures, the auditor should consider such matters as:
The significance of the riskThe likelihood that a material misstatement will occurThe characteristics of the class of transactions, account balance or disclosure involvedThe nature of the specific controls used by the entity – in particular, whether they are manual or automatedWhether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing or detecting material misstatements
26
SAS No. 110 (Cont.)
●
The auditor should perform tests of controls when:The auditor’s risk assessment includes an expectation of the operating effectiveness of controls; orSubstantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion level
●
When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor should determine what additional audit evidence should be obtained for the remaining period
●
If the auditor plans to rely on the operating effectiveness of controls intended to mitigate a significant risk, the auditor should obtain audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period
27
SAS No. 110 (Cont.)
●
SAS No. 110 states that the auditor should perform certain substantive procedures for all engagements. These procedures include:
Performing substantive tests for all relevant assertions related to each material class of transactions, account balances and disclosures, regardless of the assessment of the risk of material misstatementAgreeing the financial statements, including their accompanying notes, to the underlying accounting recordsExamining material journal entries and other adjustments made during the course of preparing the financial statements
28
SAS No. 111
●
SAS No. 111 provides guidance relating to the auditor’s judgment
about establishing tolerable misstatement for a specific audit procedure and on the application of sampling to tests of controls. This statement amends SAS No. 39, Audit Sampling, to state the following:
When planning a sample for a test of details, the auditor shoulddetermine the tolerable misstatement for the sampleTolerable misstatement is the maximum error in a population (for example, the class of transactions or account balance) that the auditor is willing to accept. This term may be referredto as tolerable error in other standards
29
SAS No. 111 (Cont.)
●
An auditor who applies statistical sampling uses tables or formulas to compute sample size based on these judgments
●
An auditor who applies non-statistical sampling uses professional judgment to relate these factors in determining the appropriate sample size. Ordinarily, this would result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters
30
SAS No. 111 (Cont.)
●
To determine the number of items to be selected in a sample for a particular test of details, the auditor should consider:
Tolerable misstatementExpected misstatementAudit riskCharacteristics of the populationAssessed risk of material misstatement (inherent risk and control risk)Assessed risk for other substantive procedures related to the same assertion
31
Conclusions●
How will these standards impact me?Public accountants:–
Revisions to audit approach–
Increased focus on assessing risks–
Increased procedures relative to internal controls–
DocumentationPrivate accountants–
Opportunity to reduce costs by:•
Preparation of comprehensive documentation of policies and procedures
•
Identification of key internal controls•
Identification of risk exposure•
Preparation of the financial statements and related disclosures–
Increased focus on good corporate governance–
Higher-quality financial reporting–
Business process improvements
33
Lessons For Companies
●
Recent events in the financial markets raise many questionsDo companies understand the risk assessment processes?Do people really understand what risks their company faces? How are you dealing with the risk of fraudulent financial reporting?
●
SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Are we so concerned with material misstatement in the financial statements that we’ve lost sight of business risk?
34
What Should Companies Be Doing?Answer the following questions:●
How is risk defined at your company (or, is defined)?●
How effective is your governance process over risk?●
What risks exist today?●
What processes exist to analyze your risk?●
What processes exist to quantify your risk?●
What processes exist to be sure all business units understand your risk profile?
●
What is being done to mitigate your risks?●
What keeps you up at night?
35
The Audit Risk Model●
Audit risk (AR) = Inherent risk (IR) X control risk (CR) X detection risk (DR)
●
AR = IR X CR X DR●
Components of audit risk●
Inherent risk –
Risk existing in balances or transactions(Complexity , judgment, theft, obsolescence)
●
Control risk –
Risk that ICFR isn’t effective●
Detection risk –
Risk that error will not be found
37
Phase 1: Scoping And Understanding Business Objectives
●
Obtain a clear and comprehensive understanding of your:
Environment
Organization culture
Objectives
The operating model in which the internal control structure mustoperate and be effective to mitigate enterprise risk
●
How is this accomplished?
By interviews with key management personnel
Review of any previous risk assessments
Audit plans, strategic plans, marketing plans, financial budgets, management representation letters and IT plans
38
Phase 2: Risk Assessment
●
Develop an assessment of risks: business, financial, operational, compliance, as well as any others that are pertinent given the organizational objectives
●
Focus is on the areas of high risk and areas that are important to management in the achievement of its business objectives
●
To the extent available, use your internal audit function, as it
is an integral part of keeping management informed of opportunities for efficiencies and improvements in an organization’s internal control structure
39
Phase 3: Develop Audit Plan
●
Once the risk assessment is complete, develop and prepare a document that identifies the potential audit universe
●
This document will identify each audit area, along with an assigned risk rating and recommended audit cycle
●
Develop a current-year audit schedule
●
Ensure that the plan will meet your goals and objectives
40
Phase 4: Execute Audit Plan
●
Begin each audit with a pre-audit meeting
●
Once scope has been set and communicated, develop and execute the test plans
Include detailed testing
Interviewing
Process-mapping
Document review
Observation
●
Throughout this phase, your team should continuously communicate
with management as to progress, potential issues and needs
41
Phase 5: Reporting And Monitoring
During the course of any audit, issues will surely arise. These should be reported in three ways
1.
Continuously communicate with management as your teams progress through each audit
2.
Prepare a summary document that reflects all of the issues noted during the course of the audit
3.
Draft a formal audit report that reflects all previously discussed issues, recommendations and management’s agreed-to action plans
42
New SEC Guidance●
Released in conjunction with proposed Auditing Standard No. 5 (AS-5)
●
Key points in release:
Top-down, risk based approach
Entity-level, anti-fraud and compensating controls become more important
Evaluation of controls based on identification and assessment ofrisk
Subsequent years’ effort will be reduced (focus only on changes in risk)
IT general controls necessary to address financial reporting risks
Evidence (amount of testing) based on risk assessment
43
Documentation Phase
DevelopProject Plan &
Scoping
Document/Updatethe “As Is”Process &Controls
Develop/Update RCMs &
Test Scripts(Identification of
Key Controls)
Remediation
Key ControlTesting
Design Gaps
Operating
Effectiveness G
aps
Operating
Effectiveness G
aps
Remediation will require re-testing of the control after the fix is implemented. It may involve documentation update as well
Planning/
Scoping Phase
Testing Phase
Enterprise Risk AssessmentFraud AssessmentProject scopeProject Plan
Road Map For Compliance
44
Typical areas of concern
•
Non-routine transactions
•
Estimates
•
IT general and application-level controls
•
Depth of testing to substantiate effectiveness of control
•
Judgment on severity of identified weakness
•
Effective PMO
•
Timely remediation of gaps
Some Key Factors To Consider
45
Achieving Effective ICFR The COSO Framework
●
Control environment●
Risk Assessment●
Control activities●
Information and communication●
Monitoring
46
Control Environment
●
Integrity and ethical values●
Board of directors●
Management’s philosophy and operating style●
Organizational structure●
Financial reporting competencies●
Authority and responsibility●
Human resources
48
Control Activities
●
Integration with risk assessment
●
Selection and development of control activities
●
Policies and procedures
●
Information technology
49
Information And Communication
●
Financial reporting information
●
Internal control information
●
Internal communication
●
External communication
51
Management To-Dos
●
What could go wrong?
●
Focus on risks that are significant and likely
●
Know the objectives of internal controlsProvide effectiveness and efficiency of operationsEnsure reliable financial reportingComply with laws and regulations
53
ImplementationSummer 2006 through Fall 2007
●
Extensive training for auditors●
Over-communication with clientsAwareness: Informing clients of changes in audit standardsIncreased time required to complete the auditIncreased feesOverall impact on the audit
●
Comprehensive revisions to audit methodology
54
Before The Risk Standards
●
SAS 112, Communication of Control DeficienciesRedefined material weaknesses, significant deficiencies and deficiencies, while eliminating the term “reportable condition”Enhanced required communications (need to repeat SD and MW)Required auditors to inform the clients whether the identified control deficiencies are significant deficiencies or material weaknessesHuge impact when combined with new risk-based standards
55
SAS 112 LettersChange in terminology –
Classification of comments
●
Material weakness
–
A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be prevented or detected by the entity’s internal controls
56
●
Significant deficiency
–
A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process or report financial data reliably in accordance with generally accepted accounting principles, such that there is more than a remote likelihood
that a misstatement of the entity’s financial statements that is more than inconsequential
will not be prevented or detected by the entity’s internal control
SAS 112 Letters (Cont.)
Change in terminology –
Classification of comments
57
●
Deficiency
–
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis
●
Best practice
–
A matter which you may find of interest –
not related to a control matter (in theory, these comments should address how management can improve their operations and are viewed as “value-
added” comments)
SAS 112 Letters (Cont.)Change in terminology –
Classification of comments
58
SAS 112 Letters (Cont.)
Testing LIFO Unit Counts Significant Deficiency
Observation:
During our testing of the LIFO reserve, we noted several instances where the same itemin multiple inventory locations had a different LIFO unit cost. Most differences in LIFOunit costs had immaterial impacts on the LIFO reserve calculation, and correspondingly,net income. One instance resulted in the misstatement of net income from 2002-2007 byapproximately $580,000. However, the cumulative impact over time was only $60,000.Management has not compared LIFO costs between locations to ensure that the samebase year cost is being utilized.
Business Risk:
The business risk associated with this deficiency is that the LIFO reserve may not befairly stated and, as noted above, income may be misstated.
Recommendation:
We recommend that management implements control procedures as part of its monthlyclosing process to check for similar instances so that any errors are identified andresolved timely.
Management’s Response:
Management will look into implementing procedures during the next fiscal year toimprove the LIFO costing process and verify no errors exist.
(Implemented prescribed formats for management comment letters)
Deficiency communication –
What is the control issue,
what is the risk, what is the recommendation?
59
SAS 104-111 Early Experiences –
Changes In Audits
●
Materiality levels have changed (usually lower)●
Confirmation testing has increasedMore receivable confirmations, for example
●
More extensive understanding of internal controlsObserving, reviewing, corroborating supporting evidenceAdditional time spent with client personnel
●
More extensive understanding of IT controlsObserving, reviewing, corroborating supporting evidenceTime spent understanding the interplay with manual controls
●
Enhanced IT control testing
60
●
More extensive testing of internal controlsManual and computer controlsMore linkage of reliance on controls to other substantive testing
●
Understand entity level controls –
risk impact –
linkage ●
Conveyance of SAS 104-111 to foreign auditors, for them to comply with U. S. GAAS requirements
SAS 104-111 Early Experiences –
Changes In Audits
(Cont.)
61
●
Our auditors are requesting more information regarding:Internal controls – computer and manualVarious procedures – corroborating Client policies – not always written
●
This information must be supported by written internal documentation
Must be maintained by the clientShould not simply be the internal control questionnaires or forms maintained by the outside auditor
SAS 104-111 Early Experiences –
Client Matters
62
●
More formal documentation is required of our clientsJournal entries – documentation of who prepared and who reviewedAccount reconciliations – documentation of who prepared and who reviewedMonthly results – formal documentation of the review of actual results to budgeted results and same month/prior year results
●
Some clients feel that “the playing field has changed,” while other clients “embrace the enhanced audit standards”
SAS 104-111 Early Experiences –
Client Matters
(Cont.)
63
●
“The risk assessment standards had little effect on the design of certain audit procedures”
Auditors are still spending time on areas where risk of misstatement is not greatExample of long-term debt–
Client performs, reviews and documents the reconciliation process, from lender statements to the general ledger
–
Audit team still sends confirmations, tests interest reasonableness and performs other non-value added audit procedures
SAS 104-111 Early Experiences –
Auditor
Issues/Comments
64
●
“The risk assessment standards drive deficiency communication even without audit adjustments”
Client did not document any of their controls, and controls could not be corroborated by the auditorsClient got the answer right in the end; standards indicate the need to communicate deficiencies even without an audit adjustmentLesson per the standard: “It is not appropriate to be lucky vs. good when it involves controls”
SAS 104-111 Early Experiences –
Auditor
Issues/Comments (Cont.)
65
SAS 104-111 Early Experiences –
Auditor
Issues/Comments (Cont.)
Corroboration > inquiry
● In the past, we would inquire as to who had wire transfer authority
●
Now, we would ask to see an official list provided to, or confirmed
by, the bank
●
Many times, we find terminated employees on that list, which we
would not have seen if we depended on inquiry
66
●
Prior audits –
The auditors proposed/prepared journal entries representing proposed corrections of accounting records
Prior to risk assessment standards, maybe no management commentsaddressed this issueThis year, audit team issued a “material weakness” regarding accounting and reporting relating to the proposed corrections of the accounting recordsCorrections are usually an indicator that controls were not functioning correctly or do not exist to keep accounting information correct
SAS 104-111 Early Experiences –
Awkward
Situations With Clients
67
●
Hesitation to provide completed trial balances or schedules
Clients do not want any deficiencies (or significant deficiencies or material weaknesses)
Clients then hold back providing schedules or intentionally omitcertain line items (e.g., income taxes)
Ultimate result is a “debate” as to who identified the need for an adjusting entry
SAS 104-111 Early Experiences –
Awkward
Situations With Clients (Cont.)
68
●
Complex accounting issuesHedge accounting – FAS No. 133Clients not taking responsibility to comply with standardClients ultimately rely on outside auditorsSometimes judgmental issues
●
Extra time spent “debating” classification of commentsClients want “best practices”Control observations are deficiencies
●
Must repeat observations or make reference to prior observations
if still present –
added communication
SAS 104-111 Early Experiences –
Awkward Situations
with Clients (Cont.)
69
Owner-managed businesses● Little or no documentation of entity-level controls● No formal meetings among ownership, management, others● No corporate governing committee
Resulting in no formal documentation of:● Review of financial statements● Approval of significant, unusual transactions● Changes to employment policies
Clients ask:● What is the value of documenting these processes?
SAS 104-111 Early Experiences –
Awkward Situations
with Clients (Cont.)
70
●
Instances where all risk assessments were completed well in advance of year-end
We met with management and those charged with governance to discuss the significant deficiencies
Management adopted all recommendations and made changes in their control system (policies/procedures) prior to year-end and corrected past information, if necessary
We considered this similar to remediation under AS-5, Public Company Audit Requirement
No control-related deficiencies in their SAS 112 letter
SAS 104-111 Early Experiences –
Client Interactions
71
SAS 104-111 Early Experiences -
Conclusions
●
This is not a “blame game”How can auditors help you?The recommendation is the key
●
More communications with your auditorsAnything that will drive more communication with your auditors will be good for you . . . unless you have something to hide
●
Inherent riskCFOs cannot control inherent risk (e.g., economic times, gas at $4.25 per gallon)Must think about controls in place to deter those employees who may be tempted to steal inventory, use manual checks for personal use, etc.
72
●
Win for the clientMore information about their control systemsMore communication with auditors about risks
●
Win for the auditorsMore communication with clientsBetter understanding about control systems
●
Win for the public trustBetter financial informationImproved interim financial reporting due to enhanced controls
SAS 104-111 Early Experiences –
Conclusion
(Cont.)
75
Statement On Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters in an Audit
●
Supersedes SAS No. 112
●
Revisions to definitions to align with AS-5
●
Implications for government audits
●
Management letter change
76
Material Weakness
A deficiency, or combination of deficiencies, in internal control,
such that there is a reasonable possibility1 that a material
misstatement of the entity’s financial statements will not be
prevented or detected and corrected
1FAS No. 5 –
Remote, Reasonably Possible and Probable
77
Significant Deficiency
A deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough
to merit attention by those charged with governance
78
Implications For Government Audits
“Not Yet Adopted”
●
Government Auditing Standards●
Circular A-133●
Other similar federal regulations●
Audit guides
Do not implement early SAS No. 115 under thesestandards!
79
Management Letter Changes
“Auditor’s consideration of internal control was not designed to
identify all deficiencies in internal control that might be significant
deficiencies or material weaknesses and therefore, there can be no
assurance that all deficiencies, significant deficiencies or material
weaknesses have been identified”
80
Communication Content●
Best made by report release date
●
No later than 60 days following release date
●
Include statement indicating consideration of internal controls
not designed to identify all SD or MW
Effective Date●
Periods ending on or after Dec. 15, 2009
Earlier implementation is
permitted, except as previously noted
81
PCAOB –
Proposal Of Seven New Standards
●
Proposed Oct. 21, 2008
●
120-day comment period expires Feb. 18, 2009
●
Replaces existing “Interim PCAOB Standards”
●
All proposed standards deal with audit risk
82
PCAOB –
Proposal Of Seven New Standards (Cont.)
The proposed new standards are:
● Audit Risk in an Audit of Financial Statements
● Audit Planning and Supervision
● Identifying and Assessing Risks of Material Misstatement
● The Auditor’s Responses to the Risks of Material Misstatements
● Evaluating Audit Results
● Consideration of Materiality in Planning and Performing an Audit
● Audit Evidence
83
PCAOB –
Proposal Of Seven New Standards (Cont.)
Improvements to audits of public companies
The PCAOB has stated that the proposed standards:●
Would update the existing requirements to take account of the improved
risk-based audit methodologies currently in use by some auditors●
Should enhance integration of the audit of the financial statements with
the audit of internal control over financial reporting, resulting in more
effective audits●
Would integrate the auditor’s current responsibilities for considering
fraud during the audit● Would serve as an improved foundation for future standard-setting●
Reflect the Board’s effort to reduce unnecessary differences with the
risk assessment standards of other auditing standard-setters