Transcript Effective and Efficient Auditing in Compliance with the

New Audit Risk
Standards
Are You Ready?
John P. Langan, CPA
Principal in Charge
Public Service Group
Metro, DC Office
LarsonAllen LLP
Learning Objectives
• Gain a Historical Perspective on an Evolving Audit Approach
• Receive an Overview of the New AICPA Audit Standards:
SAS 102-114
• Share Implementation Experiences: SAS 103 & 112
• Understand the Basic Concepts Inherent in the New Audit
Risk Standards SAS 104-111
• Identify Specific Ways to Prepare for Addressing the
Standards with your Board, Management and Auditors
• Receive Tools and Resources to Support Your Related
Responsibilities
2
Three Audience Perspectives
• Association Financial & Management Professionals
• Public Accounting Professionals
• Other Association Advisors
3
Historical Perspective
•
•
•
•
•
Expectations “GAAP”
How Auditors Traditionally Audited Non-Profits
Treadway Commission & COSO
The Go-Go 90’s: For-Profit & Non-Profit Fraud
Fall of Arthur Andersen
4
Historical Perspective
• Statement on Auditing Standards No. 99-Active
Consideration and Search for Fraud
• New Ethics Rules on Auditor Independence: AICPA,OMB
• Sarbanes-Oxley For Public Companies: Rule 404
• NFP Implications of Sarbanes-Oxley
–
–
–
–
–
Rise in Audit Committees*
Whistle Blower, Document Retention, Conflict of Interest Policies
Increase in Audit RFP’s
Internal Audit Function
Risk Assessment & Monitoring
*Resource: (AICPA NFP Audit Toolkit www.aicpa.org)
5
Relevant Questions
• What &Where are the Risks of Fraud in NFPs?
• What & Where are the Risks of Material Misstatement in
the Financial Statements?
• Where do Management’s Responsibilities End and The
Auditor’s Begin?
• How Can The Audit Process Be More Efficient &
Effective?
6
Overview of SAS 102-114
•
•
•
•
•
•
•
•
•
Statements on Auditing Standards (SAS)
Released June 2006
Impact Audits For All Industries & Entities Not Just NFP’s
SAS 102 Defining Terms in Prior Statements
SAS 103 Audit Documentation/Report Dating
SAS 104-111 Risk Assessment Standards
SAS 112 Evaluating Control Deficiencies
SAS 113 Omnibus Statement Revising Prior Statements
SAS 114 Communications with Those Charged with
Governance. Supersedes SAS 61
7
Key Statements & Effective Dates
• SAS 103 & 112 Effective Years Ending On or After 12/31/06
• SAS 104-111 Effective Years Ending On or After 12/31/07
• AICPA Risk Alert* Summarizes SAS 104-111
* Available on FAR Web Site: www.far-roundtable.org
8
SAS 103 & 112 Look-back
Key Concepts
SAS 103
• Sufficient Audit Documentation To Support Audit Opinion
• Report Dating
• 60 day audit file lock-down
SAS 112
• Communicate deficiencies in design and implementation
– Since we are assessing more control risks,
we may have more control deficiencies to report
• Types of control deficiencies
– Inconsequential deficiency (oral)
– Significant deficiency (written- SAS 112 & Single Audit Findings)
– Material weakness (written- SAS 112 & Single Audit Findings))
9
SAS 103 & 112 Look-back
SAS 103
• More Timely Audit Reporting
• Planning Counts (Auditor, Management, Audit Committee)
• Potential For The Never Ending Audit: Subsequent
Events/Updated Representations
• Potential For Audit Committee Meetings “On The Fly”
SAS 112
• Lack of Uniformity in Auditor Application
• Reactions & Re-Audits: Speaker War Stories
• Share Your Experiences: Auditor & Client
10
Primary Objective of New SASs
• A more in-depth
understanding of the
client and its
environment,
including its internal
control
• More rigorous risk
assessments
• A more direct link
between identified risks
and audit procedures
performed
• Better communication of
internal control matters
11
New Requirements For Your Auditor
• Trying to reduce the risk of material misstatement in the
financial statements
• Must reduce overall audit risk to a level of “low”
• Must obtain a sufficient understanding of the entity and its
environment, including internal control (walk-through, nonprogram inquiries)
• Must perform risk assessment procedures
• Must link identified risks (e.g., inherent risks, control risks,
detection risks) to audit procedures
• Must evaluate internal control for significant risks
• Must test controls when relevant or necessary
• Must communicate with those charged with governance
12
SAS 104-111
• SAS 104 Amends SAS 1 Due Professional Care
• SAS 105 Amends SAS 95 Generally Accepted
Auditing Standards
• SAS 106 Audit Evidence
• SAS 107 Audit Risk & Materiality
• SAS 108 Audit Planning & Supervision
13
SAS 104-111
• SAS 109 Understanding The Entity and Its
Environment Assessing The Risks of Material
Misstatements
• SAS 110 Performing Audit Procedures in
Response to Assessed Risk and Evaluating the
Audit Evidence Obtained
• SAS 111 Amends SAS 39 Audit Sampling
14
Risk Assessment
What can go wrong in the financial statements?
• Understand entity and environment
• Understand risks of the entity
• Understand the risks in financial reporting including and
beyond fraud
• Understand internal controls designed to mitigate risks
– Entity-level controls (tighter written procedures)
– Activity-level controls (coordination w/IT)
• Determine if controls have been implemented
• Not just auditor inquiry
• Corroborating evidence required (duplicate inquiries,
written documentation)
15
Key Concept:
Supporting Financial Statement Assertions
You Must Support Financial Statement Assertions:
1. Occurrence and Existence
2. Rights and Obligations
3. Completeness
4. Accuracy, Valuation and Allocation
5. Cut-off
6. Classification and Understandability
See Matrix in AICPA Audit Risk Alert
(13 in Standards summarized as 6 above)
16
Key Concept: Supporting Assertions
Assertions Evaluated in Three Areas:
1. Classes of Transactions and Events During The
Period
2. Account Balances at the End of the Period
3. Presentation and Disclosure
See Matrix in AICPA Audit Risk Alert
17
Gaining Understanding of Internal Control
Five components of the COSO Integrated
Framework*:
1. Control Environment
2. Risk Assessment
3. Information and Communication Systems
4. Monitoring
5. Control Activities
*Executive Summary: Internal Control over Financial Reporting For
Small Public Companies available on FAR Web Site:
www.far-roundtable.org
18
Gaining Understanding of Internal Control
• Internal control
– Evaluate the design
– Capable of effectively preventing, detecting, and
correcting material misstatements
– Addresses significant risks and fraud risks
• Has been implemented
–
–
–
–
Actually exists and entity is using it
Aware of control and responsibility for performance
Working knowledge of how to perform
Inquiry alone not sufficient (e.g., walkthroughs)
• Include information technology controls
• Include controls for service organizations utilized
19
Opportunity and Benefits
• Have you evaluated entity risks in a formal manner?
• Have you designed and implemented control
procedures to address entity risks?
• Understand your organization’s risks for material
misstatement of financial statements (not just fraud)
and how your organization’s internal control reduces
those risks (see sample Risk Assessment on FAR
website).
• Results:
– Improved risk management at your organization.
– Potential changes to more efficient audit procedures.
20
What Can You Do To Prepare?
• Meet with your Auditors and plan for
–
–
–
–
Additional inquiries
Additional corroborating evidence
Additional documentation needed
Identification of documentation you currently have
• Educate your Management & Audit Committee
with resources and tools identified
• Initiate an internal Risk Assessment and
Monitoring Process to support the five elements of
internal control and financial statement assertions
21
Questions & Discussion