Upload
tino
View
67
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Risk Assessment and the Governmental Audit. Presented to:Connecticut Society of CPA’s Date:May 14, 2008 Presented by:Christian J. Rogers, CPA, Shareholder. Today’s Agenda. Brief discussion of each of the new risk assessment standards (“Risk Assessment Suite”), SAS’s 104 - 111 - PowerPoint PPT Presentation
Citation preview
Risk Assessment and Risk Assessment and the Governmental Auditthe Governmental Audit
Presented to:Presented to: Connecticut Society of CPA’sConnecticut Society of CPA’s
Date:Date: May 14, 2008May 14, 2008
Presented by:Presented by: Christian J. Rogers, CPA, ShareholderChristian J. Rogers, CPA, Shareholder
May 14, 2008May 14, 2008 22
Today’s AgendaToday’s Agenda Brief discussion of each of the new risk Brief discussion of each of the new risk
assessment standards (“Risk Assessment Suite”), assessment standards (“Risk Assessment Suite”), SAS’s 104 - 111SAS’s 104 - 111
Purpose and objectives of the new standardsPurpose and objectives of the new standards Major changes to current practiceMajor changes to current practice Assessing risks of material misstatementAssessing risks of material misstatement Procedures to perform in response to assessed Procedures to perform in response to assessed
risksrisks Audit documentationAudit documentation Wrap-upWrap-up QuestionsQuestions
May 14, 2008May 14, 2008 33
Risk Assessment SuiteRisk Assessment Suite
SAS No. 104, Amendment to SAS Amendment to SAS No. 1 (Codification of Auditing No. 1 (Codification of Auditing Standards and Procedures)Standards and Procedures)• Expands the definition of “reasonable Expands the definition of “reasonable
assurance” (as cited in the Auditor’s assurance” (as cited in the Auditor’s Opinion) as a “Opinion) as a “highhigh level of assurance”. level of assurance”.
May 14, 2008May 14, 2008 44
Risk Assessment SuiteRisk Assessment Suite
SAS No. 105, Amendment to SAS 95, Amendment to SAS 95, Generally Accepted Auditing StandardsGenerally Accepted Auditing Standards• Reflects new usage of terms required by SAS No. 102.Reflects new usage of terms required by SAS No. 102.
• Second standard of fieldwork modified as follows:Second standard of fieldwork modified as follows: Expands scope from “internal control” to “the entity and its Expands scope from “internal control” to “the entity and its
environment, including its internal control”environment, including its internal control” Extends purpose from “planning the audit” to “assessing Extends purpose from “planning the audit” to “assessing
the risk of material misstatement of the financial the risk of material misstatement of the financial statements whether due to error or fraud”statements whether due to error or fraud”
““Tests to be performed” is replaced with “further audit Tests to be performed” is replaced with “further audit procedures”procedures”
May 14, 2008May 14, 2008 55
Risk Assessment SuiteRisk Assessment Suite
SAS 105 (Continued)SAS 105 (Continued)• Third standard of fieldwork is modified Third standard of fieldwork is modified
as follows:as follows: Eliminates reference to specific audit Eliminates reference to specific audit
procedures (inspection, observation, procedures (inspection, observation, inquiries and confirmation); reference is to inquiries and confirmation); reference is to “audit procedures”“audit procedures”
““Competent evidential matter” is replaced Competent evidential matter” is replaced with “Appropriate audit evidence”with “Appropriate audit evidence”
• Appropriate is defined in SAS 106 (para. 6)Appropriate is defined in SAS 106 (para. 6)
May 14, 2008May 14, 2008 66
Risk Assessment SuiteRisk Assessment Suite
SAS No. 106, Audit Evidence (Amends SAS SAS No. 106, Audit Evidence (Amends SAS 31, Evidential Matter)31, Evidential Matter)• Provides guidance regarding concepts Provides guidance regarding concepts
underlying the third standard of fieldwork:underlying the third standard of fieldwork: ““The auditor must obtain sufficient The auditor must obtain sufficient
appropriate audit evidence by performing appropriate audit evidence by performing audit procedures to afford a reasonable audit procedures to afford a reasonable basis for an opinion regarding the financial basis for an opinion regarding the financial statements under audit.” statements under audit.”
May 14, 2008May 14, 2008 77
Risk Assessment SuiteRisk Assessment Suite
SAS No. 106, Audit Evidence (Continued)SAS No. 106, Audit Evidence (Continued)• Defines audit evidenceDefines audit evidence• Defines and discusses relevant assertions and Defines and discusses relevant assertions and
their use in risk assessment and designing their use in risk assessment and designing appropriate further audit proceduresappropriate further audit procedures
• Discusses qualitative aspects in determining Discusses qualitative aspects in determining the sufficiency and appropriateness of audit the sufficiency and appropriateness of audit evidenceevidence
• Describes various audit procedures and Describes various audit procedures and discusses purposes for which they may be discusses purposes for which they may be performedperformed
May 14, 2008May 14, 2008 88
Risk Assessment SuiteRisk Assessment Suite SAS No. 107, Audit Risk and Materiality (Amends SAS 47)
• Provides guidance on auditor’s consideration of AR and Provides guidance on auditor’s consideration of AR and materiality in a financial statement audit in accordance with materiality in a financial statement audit in accordance with GAASGAAS
• Auditor must consider audit risk and must determine Auditor must consider audit risk and must determine materiality for the financial statements as a whole to:materiality for the financial statements as a whole to:
Determine extent and nature of risk assessment proceduresDetermine extent and nature of risk assessment procedures Identify and assess the risks of material misstatementIdentify and assess the risks of material misstatement Determine the nature, timing and extent of further audit Determine the nature, timing and extent of further audit
proceduresprocedures Evaluate whether the financial statements (taken as a whole) are Evaluate whether the financial statements (taken as a whole) are
presented, in all material respects, in conformity with GAAPpresented, in all material respects, in conformity with GAAP
• AR should be considered at the:AR should be considered at the: Overall financial statement levelOverall financial statement level Relevant assertions related to individual account balances, classes Relevant assertions related to individual account balances, classes
of transactions and disclosure levelof transactions and disclosure level
May 14, 2008May 14, 2008 99
Risk Assessment SuiteRisk Assessment Suite SAS 107 (Continued)SAS 107 (Continued)
• AR at the financial statement level often relate AR at the financial statement level often relate to control environmentto control environment
FraudFraud Competence of managementCompetence of management Related party transactionsRelated party transactions
• AR at the individual account balance, class of AR at the individual account balance, class of transactions and disclosure level consists of 2 transactions and disclosure level consists of 2 components:components:
Combined riskCombined risk• Inherent risk (IR)Inherent risk (IR)• Control risk (CR)Control risk (CR)
Detection risk (DR)Detection risk (DR)
May 14, 2008May 14, 2008 1010
Risk Assessment SuiteRisk Assessment Suite
SAS No. 107 (Continued)SAS No. 107 (Continued)• Determination of materiality is a matter Determination of materiality is a matter
of professional judgmentof professional judgment Based on needs of users of financial Based on needs of users of financial
statementsstatements
• Materiality involves quantitative and Materiality involves quantitative and qualitative characteristicsqualitative characteristics
• The auditor must accumulate and The auditor must accumulate and respond to both known and likely respond to both known and likely misstatementsmisstatements
May 14, 2008May 14, 2008 1111
Risk Assessment SuiteRisk Assessment Suite
SAS 107 (Continued)SAS 107 (Continued)• Auditor must consider the effect (both Auditor must consider the effect (both
individually and in the aggregate) of individually and in the aggregate) of misstatements (known and likely) not misstatements (known and likely) not corrected by the clientcorrected by the client
• Auditor should reassess materiality that Auditor should reassess materiality that was determined during planningwas determined during planning
Additional procedures may need to be Additional procedures may need to be applied to support opinionapplied to support opinion
May 14, 2008May 14, 2008 1212
Risk Assessment SuiteRisk Assessment Suite
SAS 108, Planning and Supervision SAS 108, Planning and Supervision (amends SAS 1 and SAS 22)(amends SAS 1 and SAS 22)• The first standard of fieldwork states:The first standard of fieldwork states:
““The auditor must adequately plan the work The auditor must adequately plan the work and must properly supervise any assistants”and must properly supervise any assistants”
• This statement establishes standards This statement establishes standards and provides guidance when conducting and provides guidance when conducting a GAAS audita GAAS audit
• Planning and supervision is a continuous Planning and supervision is a continuous processprocess
May 14, 2008May 14, 2008 1313
Risk Assessment SuiteRisk Assessment Suite
SAS 108 (Continued)SAS 108 (Continued)• Addresses the following:Addresses the following:
Appointment of the independent auditorAppointment of the independent auditor Establishing written understanding with clientEstablishing written understanding with client Preliminary engagement activitiesPreliminary engagement activities Overall audit strategyOverall audit strategy Audit planAudit plan Extent of involvement of specialistsExtent of involvement of specialists Communication with those CWG and managementCommunication with those CWG and management Additional considerations in initial auditsAdditional considerations in initial audits
May 14, 2008May 14, 2008 1414
Risk Assessment SuiteRisk Assessment Suite
SAS 109, Understanding the Entity and Its SAS 109, Understanding the Entity and Its Environment and Assessing Risks of Environment and Assessing Risks of Material Misstatement (amends, along Material Misstatement (amends, along with SAS 110, SAS 55)with SAS 110, SAS 55)• This statement establishes standards and This statement establishes standards and
provides guidance about implementing the 2provides guidance about implementing the 2ndnd standard of fieldworkstandard of fieldwork
““The auditor must obtain a sufficient understanding The auditor must obtain a sufficient understanding of the entity and its environment, including internal of the entity and its environment, including internal control, to assess the risk of material misstatement of control, to assess the risk of material misstatement of the financial statements whether due to error or the financial statements whether due to error or fraud, and to design the nature, timing and extent of fraud, and to design the nature, timing and extent of further audit procedures”further audit procedures”
May 14, 2008May 14, 2008 1515
Risk Assessment SuiteRisk Assessment Suite
SAS 109 (Continued)SAS 109 (Continued)• In summary, SAS 109 addressesIn summary, SAS 109 addresses
Risk assessment procedures and sources of Risk assessment procedures and sources of information about the entity and its information about the entity and its environment, including ICenvironment, including IC
Understanding the entity and its Understanding the entity and its environment, including ICenvironment, including IC
Assessing the risks of material misstatementAssessing the risks of material misstatement DocumentationDocumentation
May 14, 2008May 14, 2008 1616
Risk Assessment SuiteRisk Assessment Suite
SAS 109 (Continued)SAS 109 (Continued)• Areas of Areas of significant risksignificant risk require special require special
attentionattention Often relate to non-routine transactions and Often relate to non-routine transactions and
judgmental mattersjudgmental matters
• We will discuss this standard in greater We will discuss this standard in greater detail in a little whiledetail in a little while
May 14, 2008May 14, 2008 1717
Risk Assessment SuiteRisk Assessment Suite
SAS 110, Performing Audit Procedures in SAS 110, Performing Audit Procedures in Response to Assessed Risks and Response to Assessed Risks and Evaluating the Audit Evidence Obtained Evaluating the Audit Evidence Obtained (amends, along with SAS 109, SAS 55)(amends, along with SAS 109, SAS 55)• Provides standards and guidance regarding Provides standards and guidance regarding
concepts underlying the third standard of concepts underlying the third standard of fieldwork, which states:fieldwork, which states:
““The auditor must obtain sufficient appropriate audit The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the reasonable basis for an opinion regarding the financial statements under audit.”financial statements under audit.”
May 14, 2008May 14, 2008 1818
Risk Assessment SuiteRisk Assessment Suite
SAS 110 (Continued)SAS 110 (Continued) Determination of overall responsesDetermination of overall responses Designing and performing further audit Designing and performing further audit
proceduresprocedures Evaluating whether the risk assessments Evaluating whether the risk assessments
remain appropriate and to conclude whether remain appropriate and to conclude whether sufficient appropriate audit evidence has sufficient appropriate audit evidence has been obtainedbeen obtained
DocumentationDocumentation
• We will discuss this standard in greater We will discuss this standard in greater detail in a little whiledetail in a little while
May 14, 2008May 14, 2008 1919
Risk Assessment SuiteRisk Assessment Suite
SAS 111, Amendment to SAS 39, SAS 111, Amendment to SAS 39, Audit SamplingAudit Sampling• Provides enhanced guidance on
tolerable misstatement. Generally, misstatement in an account should be less than materiality to allow for aggregation in final assessment.
May 14, 2008May 14, 2008 2020
Purpose and ObjectivesPurpose and Objectives
The Purpose of the New StandardsThe Purpose of the New Standards
• To enhance the auditor’s performance To enhance the auditor’s performance and, as a result, increase the and, as a result, increase the effectiveness of auditseffectiveness of audits
May 14, 2008May 14, 2008 2121
Purpose and ObjectivesPurpose and Objectives The Objectives of the New StandardsThe Objectives of the New Standards
• Requiring a more in-depth understanding of the entity Requiring a more in-depth understanding of the entity and its environment, including its internal control (IC), to and its environment, including its internal control (IC), to identify the risks of material misstatement and what the identify the risks of material misstatement and what the entity is doing to mitigate thementity is doing to mitigate them
• Requiring a more rigorous assessment of the risks of Requiring a more rigorous assessment of the risks of material misstatement based on our understanding of material misstatement based on our understanding of the entity and its ICthe entity and its IC
• Improving linkage between the assessed risks and the Improving linkage between the assessed risks and the nature, timing and extent of audit procedures performed nature, timing and extent of audit procedures performed in response to those risksin response to those risks
May 14, 2008May 14, 2008 2222
Major Changes to Current PracticeMajor Changes to Current Practice
Major ChangesMajor Changes• One size does not fit allOne size does not fit all
Procedures/audit programs must be tailoredProcedures/audit programs must be tailored
• Risk assessment at the assertion levelRisk assessment at the assertion level• Default to maximum control risk is no Default to maximum control risk is no
longer permittedlonger permitted• Potential for higher level (more Potential for higher level (more
experienced) staff required during experienced) staff required during planning and risk assessment stages planning and risk assessment stages (dependent upon your current process)(dependent upon your current process)
May 14, 2008May 14, 2008 2323
Assessing Risks of Material Assessing Risks of Material Misstatement ( RMM)Misstatement ( RMM)
Where do we begin?Where do we begin?• Step 1 - Risk assessment procedures Step 1 - Risk assessment procedures
and sources of information about the and sources of information about the entity and its environment, including ICentity and its environment, including IC
• Step 2 – Understanding the entity and Step 2 – Understanding the entity and its environment, including its ICits environment, including its IC
Let’s get into the detailsLet’s get into the details
May 14, 2008May 14, 2008 2424
Assessing RMMAssessing RMM
Risk Assessment ProceduresRisk Assessment Procedures• Inquiries of management and othersInquiries of management and others• Analytical proceduresAnalytical procedures• Observation and inspectionObservation and inspection• Discussion among audit teamDiscussion among audit team• Other considerationsOther considerations
Let’s discuss each of these in further Let’s discuss each of these in further detaildetail
May 14, 2008May 14, 2008 2525
Assessing RMMAssessing RMM Inquiries of management and othersInquiries of management and others
• Those charged with governanceThose charged with governance• Internal auditorsInternal auditors• Employees who initiate, authorize, process or Employees who initiate, authorize, process or
record complex or unusual transactionsrecord complex or unusual transactions• In-house legal counselIn-house legal counsel• Sales or production personnelSales or production personnel• External partiesExternal parties
Investment managers and financial advisorsInvestment managers and financial advisors AttorneysAttorneys Rating agenciesRating agencies Regulatory bodiesRegulatory bodies
May 14, 2008May 14, 2008 2626
Assessing RMMAssessing RMM
Analytical ProceduresAnalytical Procedures• SAS No. 56 provides guidanceSAS No. 56 provides guidance• Assist in identifying the existence of Assist in identifying the existence of
unusual:unusual: Transactions or eventsTransactions or events AmountsAmounts RatiosRatios TrendsTrends
May 14, 2008May 14, 2008 2727
Assessing RMMAssessing RMM
Analytical Procedures (Continued)Analytical Procedures (Continued)• Expectations should be developed, for Expectations should be developed, for
example:example: Expected change as a result of budgetExpected change as a result of budget Expected change as a result of new revenue Expected change as a result of new revenue
streamstream
• Results is usually only a broad indication Results is usually only a broad indication about whether or not a MM existsabout whether or not a MM exists
• Consider results with other information Consider results with other information gatheredgathered
May 14, 2008May 14, 2008 2828
Assessing RMMAssessing RMM
Observation and InspectionObservation and Inspection• May support inquiries of management May support inquiries of management
and other and provide additional and other and provide additional informationinformation
Observation of activities and operationObservation of activities and operation Inspection of records and internal control Inspection of records and internal control
manualsmanuals Reading reports prepared by management:Reading reports prepared by management:
• Interim financial statementsInterim financial statements• Budget documentsBudget documents
May 14, 2008May 14, 2008 2929
Assessing RMMAssessing RMM
Observation and Inspection Observation and Inspection (Continued)(Continued)
Reading reports (i.e., minutes to meetings) Reading reports (i.e., minutes to meetings) prepared by those charged with governanceprepared by those charged with governance
Internal audit reportsInternal audit reports Facility site visitsFacility site visits Tracing transactions through the information Tracing transactions through the information
system relevant to financial reportingsystem relevant to financial reporting
May 14, 2008May 14, 2008 3030
Assessing RMMAssessing RMM
Audit Team DiscussionAudit Team Discussion• Can be held concurrently with SAS 99 Can be held concurrently with SAS 99
discussiondiscussion• Objective is for audit team to obtain a Objective is for audit team to obtain a
better understanding of the potential for better understanding of the potential for material misstatements and relationship material misstatements and relationship between the result of the procedures between the result of the procedures performed and other aspects of the performed and other aspects of the audit (this is key)audit (this is key)
May 14, 2008May 14, 2008 3131
Assessing RMMAssessing RMM
Audit Team Discussion (Continued)Audit Team Discussion (Continued)• Discussion should include:Discussion should include:
Areas of significant audit riskAreas of significant audit risk Areas susceptible to management overrideAreas susceptible to management override Unusual accounting proceduresUnusual accounting procedures Important IC systemsImportant IC systems Materiality at financial statement and Materiality at financial statement and
account levelaccount level Application of GAAP related to the entityApplication of GAAP related to the entity
May 14, 2008May 14, 2008 3232
Assessing RMMAssessing RMM
Other items for considerationOther items for consideration• Results of SAS 99 proceduresResults of SAS 99 procedures• Results of prior year auditsResults of prior year audits
Should determine if changes have occurred Should determine if changes have occurred that could affect the relevance of that that could affect the relevance of that informationinformation
• Communications with the client in Communications with the client in between audit cyclesbetween audit cycles
May 14, 2008May 14, 2008 3333
Assessing RMMAssessing RMM
Understanding the Entity and its Understanding the Entity and its Environment, Including its ICEnvironment, Including its IC• Includes the following aspectsIncludes the following aspects
1.1. Industry, regulatory and other external factorsIndustry, regulatory and other external factors
2.2. Nature of the entityNature of the entity
3.3. Objectives and strategies and the related business Objectives and strategies and the related business risks that may result in a material misstatementrisks that may result in a material misstatement
4.4. Measurement and review of the entity’s financial Measurement and review of the entity’s financial performanceperformance
5.5. Internal control, which includes the selection and Internal control, which includes the selection and application of accounting policiesapplication of accounting policies
May 14, 2008May 14, 2008 3434
Assessing RMMAssessing RMM
For items 1 through 4 above, the For items 1 through 4 above, the auditor should consider the auditor should consider the following:following:
• Industry, regulatory and other external Industry, regulatory and other external factorsfactors
Industry conditionsIndustry conditions• Market and competitionMarket and competition• Cyclical or seasonal activityCyclical or seasonal activity• Budgetary constraints at the state and/or federal Budgetary constraints at the state and/or federal
levellevel
May 14, 2008May 14, 2008 3535
Assessing RMMAssessing RMM
Regulatory environmentRegulatory environment• Industry-specific practicesIndustry-specific practices• Legislation and regulation that significantly affect Legislation and regulation that significantly affect
the entity’s operationsthe entity’s operations Direct supervisory activitiesDirect supervisory activities Regulatory requirementsRegulatory requirements
• TaxesTaxes• EnvironmentalEnvironmental
External factorsExternal factors• Recession, growth, etc.Recession, growth, etc.• Interest ratesInterest rates• InflationInflation
May 14, 2008May 14, 2008 3636
Assessing RMMAssessing RMM• Nature of the entityNature of the entity
Business operationsBusiness operations• Nature of revenue sourcesNature of revenue sources• Products or services and the related marketProducts or services and the related market• Related party transactionsRelated party transactions• Location of facilitiesLocation of facilities
InvestmentsInvestments• In joint ventures, special-purpose entities, etc.In joint ventures, special-purpose entities, etc.• In plant and equipmentIn plant and equipment
FinancingFinancing• Use of derivativesUse of derivatives• LeasingLeasing• DebtDebt
Financial reportingFinancial reporting• Accounting principles and industry-specific practicesAccounting principles and industry-specific practices• Revenue recognition practicesRevenue recognition practices• Foreign currency transactionsForeign currency transactions• Unusual and complex transactionsUnusual and complex transactions
May 14, 2008May 14, 2008 3737
Assessing RMMAssessing RMM
• Objectives and Strategies and Related Objectives and Strategies and Related Business RisksBusiness Risks
New products or servicesNew products or services Industry developmentsIndustry developments New accounting and regulatory requirementsNew accounting and regulatory requirements
• Measurement and Review of Financial Measurement and Review of Financial PerformancePerformance
Key performance indicatorsKey performance indicators TrendsTrends Analyst reports and credit ratingsAnalyst reports and credit ratings
Appendix A of SAS 109 includes more Appendix A of SAS 109 includes more examples of matters that the auditor may examples of matters that the auditor may considerconsider
May 14, 2008May 14, 2008 3838
Assessing RMMAssessing RMM
Internal ControlInternal Control• A process, effected by those charged A process, effected by those charged
with governance, management and with governance, management and other personnel, designed to provide other personnel, designed to provide reasonable assurance about the reasonable assurance about the achievement of the entity’s objectives achievement of the entity’s objectives regarding the reliability of financial regarding the reliability of financial reporting, effectiveness and efficiency of reporting, effectiveness and efficiency of operations, and compliance with operations, and compliance with applicable laws and regulations.applicable laws and regulations.
May 14, 2008May 14, 2008 3939
Assessing RMMAssessing RMM
Internal Control (Continued)Internal Control (Continued)• Auditor should obtain an understanding Auditor should obtain an understanding
of the five components of IC sufficient to of the five components of IC sufficient to assess RMM (due to error or fraud), and assess RMM (due to error or fraud), and to design the nature, timing and extent to design the nature, timing and extent of further audit proceduresof further audit procedures
May 14, 2008May 14, 2008 4040
Assessing RMMAssessing RMM
Internal Control (Continued)Internal Control (Continued)• The COSO framework:The COSO framework:
May 14, 2008May 14, 2008 4141
Assessing RMMAssessing RMM
Internal Control (Continued)Internal Control (Continued)• Control EnvironmentControl Environment
The foundation for all other IC componentsThe foundation for all other IC components Sets organizational toneSets organizational tone
• Risk AssessmentRisk Assessment Entity’s identification and analysis of relevant risks in Entity’s identification and analysis of relevant risks in
achieving objectivesachieving objectives Forms a basis for how those risks should be managedForms a basis for how those risks should be managed
• Information and CommunicationsInformation and Communications Supports the identification, capture and exchange of Supports the identification, capture and exchange of
information in a form and timeframe that enable information in a form and timeframe that enable people to carry out their responsibilitiespeople to carry out their responsibilities
May 14, 2008May 14, 2008 4242
Assessing RMMAssessing RMM
Internal Control (Continued)Internal Control (Continued)• Control activitiesControl activities
The policies and procedures that ensure that The policies and procedures that ensure that management’s directives are carried outmanagement’s directives are carried out
• MonitoringMonitoring Assesses the quality of IC performance over Assesses the quality of IC performance over
timetime
May 14, 2008May 14, 2008 4343
Assessing RMMAssessing RMM
Internal Control (Continued)Internal Control (Continued)• Depth of understanding ICDepth of understanding IC
Evaluate design of controls relevant to the auditEvaluate design of controls relevant to the audit• Is the control capable, individually or collectively, of Is the control capable, individually or collectively, of
effectively preventing or detecting and correcting effectively preventing or detecting and correcting material misstatementsmaterial misstatements
Determine whether the applicable controls have been Determine whether the applicable controls have been implemented (the control exists and the entity is implemented (the control exists and the entity is using it)using it)
The design of the control should be considered in The design of the control should be considered in determining whether to consider its implementationdetermining whether to consider its implementation
• If the design is deficient, it’s implementation is If the design is deficient, it’s implementation is ineffectiveineffective
May 14, 2008May 14, 2008 4444
Assessing RMMAssessing RMM
Internal Control (Continued)Internal Control (Continued) Perform risk assessment procedures to Perform risk assessment procedures to
obtain understanding of ICobtain understanding of IC• Inquiry of personnelInquiry of personnel• Observation of the application of specific controlsObservation of the application of specific controls• Inspecting documents and reportsInspecting documents and reports• Tracing transactions through the financial Tracing transactions through the financial
reporting systemreporting system Inquiry alone is not sufficientInquiry alone is not sufficient
May 14, 2008May 14, 2008 4545
Assessing RMMAssessing RMM
Assessing RMMAssessing RMM• Now that we have obtained our Now that we have obtained our
understanding and performed our risk understanding and performed our risk assessment procedures it is time to assessment procedures it is time to assess the RMMassess the RMM
The assessment must be made at the The assessment must be made at the financial statement level and relevant financial statement level and relevant assertion level related to:assertion level related to:
• Classes of transactionsClasses of transactions• Account balancesAccount balances• DisclosuresDisclosures
May 14, 2008May 14, 2008 4646
Assessing RMMAssessing RMM
Assessing RMM (Continued)Assessing RMM (Continued) Risks should be identified throughout the process of Risks should be identified throughout the process of
obtaining understanding of the entity and its obtaining understanding of the entity and its environment, including relevant controls that relate environment, including relevant controls that relate to risks, and consider the classes of transactions, to risks, and consider the classes of transactions, account balances and disclosuresaccount balances and disclosures
Relate identified risks to what can go wrong at the Relate identified risks to what can go wrong at the relevant assertion levelrelevant assertion level
Consider whether risks are of magnitude that could Consider whether risks are of magnitude that could result in material misstatementresult in material misstatement
Consider the likelihood that the risks could result in Consider the likelihood that the risks could result in material misstatementmaterial misstatement
May 14, 2008May 14, 2008 4747
Assessing RMMAssessing RMM
Assessing RMM (Continued)Assessing RMM (Continued) Determine whether risks relate to specific Determine whether risks relate to specific
relevant assertions or to the financial relevant assertions or to the financial statements as a whole (weak control statements as a whole (weak control environment)environment)
Risk assessment is used to determine the Risk assessment is used to determine the nature, timing and extent of further audit nature, timing and extent of further audit procedures to be performedprocedures to be performed
If the expectation is that controls are If the expectation is that controls are operating effectively at the relevant operating effectively at the relevant assertion level, tests of controls must be assertion level, tests of controls must be performedperformed
May 14, 2008May 14, 2008 4848
Assessing RMMAssessing RMM
Assessing RMM (Continued)Assessing RMM (Continued)• Significant RisksSignificant Risks
Require special audit considerationRequire special audit consideration Based on auditor’s judgmentBased on auditor’s judgment Considerations include:Considerations include:
• Inherent riskInherent risk• Risk of fraudRisk of fraud• Related to recent significant economic, accounting or Related to recent significant economic, accounting or
other developmentsother developments• ComplexityComplexity• Related partiesRelated parties• Significant nonroutine transactionsSignificant nonroutine transactions• Significant estimatesSignificant estimates
May 14, 2008May 14, 2008 4949
Assessing RMMAssessing RMM
Assessing RMM (Continued)Assessing RMM (Continued) Auditor’s response:Auditor’s response:
• If the auditor has not already done so, evaluate If the auditor has not already done so, evaluate design of the entity’s controls related to the risksdesign of the entity’s controls related to the risks
• This will be discussed further in the next section, This will be discussed further in the next section, Performing Procedures in Response to Assessed Performing Procedures in Response to Assessed RisksRisks
May 14, 2008May 14, 2008 5050
Procedures to be PerformedProcedures to be Performed
How do we respond to our RMM?How do we respond to our RMM? There are two types of responsesThere are two types of responses
• Overall responses at the financial Overall responses at the financial statement levelstatement level
Maintain professional skepticismMaintain professional skepticism Assigning more experienced staffAssigning more experienced staff Using specialistsUsing specialists Performing procedures at year-end rather Performing procedures at year-end rather
than during the interimthan during the interim
May 14, 2008May 14, 2008 5151
Procedures to be PerformedProcedures to be Performed
• Responses at the relevant assertion Responses at the relevant assertion levellevel
Auditors should design and perform further Auditors should design and perform further audit procedures whose nature, timing and audit procedures whose nature, timing and extent are based on/responsive to the RMMextent are based on/responsive to the RMM
The purpose is to provide clear linkage The purpose is to provide clear linkage between the procedures performed and the between the procedures performed and the RMMRMM
May 14, 2008May 14, 2008 5252
Procedures to be PerformedProcedures to be Performed
• Responses at the relevant assertion Responses at the relevant assertion level (Continued)level (Continued)
ConsiderationsConsiderations• Significance of the riskSignificance of the risk• Likelihood of material misstatementLikelihood of material misstatement• Characteristics of the class of transactions, Characteristics of the class of transactions,
account balance, or disclosure involvedaccount balance, or disclosure involved• Nature of the specific controls used by the entity Nature of the specific controls used by the entity
being audited (manual vs. automated)being audited (manual vs. automated)• Whether the auditor expects to test controlsWhether the auditor expects to test controls
May 14, 2008May 14, 2008 5353
Procedures to be PerformedProcedures to be Performed
Audit approachAudit approach• Risk assessment at the relevant assertion level Risk assessment at the relevant assertion level
is the basis for the auditors approachis the basis for the auditors approach• Must have a basis to default to maximum Must have a basis to default to maximum
control riskcontrol risk• Can be a combination of tests of controls and Can be a combination of tests of controls and
substantive proceduressubstantive procedures• Even if controls are determined to be Even if controls are determined to be
functioning effectively, substantive procedures functioning effectively, substantive procedures must be performedmust be performed
Effective internal controls only reduce, not eliminate, Effective internal controls only reduce, not eliminate, the RMMthe RMM
May 14, 2008May 14, 2008 5454
Procedures to be PerformedProcedures to be Performed
Audit Approach (Continued)Audit Approach (Continued)• Analytical procedures alone may not be Analytical procedures alone may not be
sufficientsufficient Allowance for doubtful accountsAllowance for doubtful accounts IBNR accrualsIBNR accruals
• Regardless of the approach, the auditor Regardless of the approach, the auditor should perform substantive procedures should perform substantive procedures for all relevant assertions related to for all relevant assertions related to each material class of transactions, each material class of transactions, account balance and disclosureaccount balance and disclosure
May 14, 2008May 14, 2008 5555
Procedures to be PerformedProcedures to be Performed
Nature, Timing and ExtentNature, Timing and Extent• NatureNature
Refers to purpose (tests of controls or Refers to purpose (tests of controls or substantive procedures) and type substantive procedures) and type (inspection, observation, recalculation, (inspection, observation, recalculation, analytical, etc.)analytical, etc.)
Based on RMM at relevant assertion levelBased on RMM at relevant assertion level If information is being used from the entity’s If information is being used from the entity’s
information system for audit procedures, information system for audit procedures, evidence should be obtained about the evidence should be obtained about the accuracy and completeness of that accuracy and completeness of that informationinformation
May 14, 2008May 14, 2008 5656
Procedures to be PerformedProcedures to be Performed
Nature, Timing and Extent (Continued)Nature, Timing and Extent (Continued)• TimingTiming
Audit procedures performed at interim period or end-Audit procedures performed at interim period or end-of-periodof-period
If procedures are performed at an interim period, the If procedures are performed at an interim period, the auditor should consider the additional evidence that auditor should consider the additional evidence that is necessary for the remaining periodis necessary for the remaining period
ConsiderationsConsiderations• Control environmentControl environment• Nature of riskNature of risk
Certain procedures can only be performed at year-Certain procedures can only be performed at year-endend
• Reconciling accounting records to financial statementsReconciling accounting records to financial statements• Examining financial statement adjustmentsExamining financial statement adjustments
May 14, 2008May 14, 2008 5757
Procedures to be PerformedProcedures to be Performed
• ExtentExtent Based on auditor’s judgment after Based on auditor’s judgment after
consideringconsidering• Tolerable misstatementTolerable misstatement• RMMRMM• The degree of assurance the auditor plans to The degree of assurance the auditor plans to
obtainobtain The higher the RMM, the more likely an The higher the RMM, the more likely an
increase in the extent of audit proceduresincrease in the extent of audit procedures• Only effective if the audit procedures is relevant Only effective if the audit procedures is relevant
to the specific risk and reliable; therefore the to the specific risk and reliable; therefore the nature of the audit procedure is the most nature of the audit procedure is the most important considerationimportant consideration
May 14, 2008May 14, 2008 5858
Procedures to be PerformedProcedures to be Performed
Tests of ControlsTests of Controls• Should be performed when:Should be performed when:
Auditor, based on risk assessment, relies on the Auditor, based on risk assessment, relies on the effectiveness of controlseffectiveness of controls
Substantive procedures alone do not provide Substantive procedures alone do not provide appropriate audit evidence at the relevant assertion appropriate audit evidence at the relevant assertion levellevel
• Inquiry alone is not sufficient audit evidenceInquiry alone is not sufficient audit evidence• Use a combination of proceduresUse a combination of procedures
Inquiry and observationInquiry and observation Inspection and re-performanceInspection and re-performance
May 14, 2008May 14, 2008 5959
Procedures to be PerformedProcedures to be Performed
Tests of Controls (Continued)Tests of Controls (Continued)• Auditor may use evidence obtained in prior Auditor may use evidence obtained in prior
auditsaudits However, auditor should obtain evidence about However, auditor should obtain evidence about
whether or not changes have occurred to the whether or not changes have occurred to the applicable controlsapplicable controls
If controls have changed from prior audit, the auditor If controls have changed from prior audit, the auditor should re-test the controlsshould re-test the controls
Considerations:Considerations:• Effectiveness of other IC elements (control Effectiveness of other IC elements (control
environment, risk assessment, monitoring)environment, risk assessment, monitoring)• Effectiveness of IT general controlsEffectiveness of IT general controls• Risk of material misstatement and the extent of Risk of material misstatement and the extent of
reliance on the controlreliance on the control
May 14, 2008May 14, 2008 6060
Procedures to be PerformedProcedures to be Performed
Tests of Controls (Continued)Tests of Controls (Continued)• Auditor should test controls at least once in Auditor should test controls at least once in
every third year of an annual auditevery third year of an annual audit Unless the control is related to a significant risk, Unless the control is related to a significant risk,
whereby the control must be tested for the current whereby the control must be tested for the current audit periodaudit period
• Conditions that could decrease the period for Conditions that could decrease the period for re-testing a control; or cause the auditor to not re-testing a control; or cause the auditor to not rely on evidence obtained in prior audits:rely on evidence obtained in prior audits:
Weak control environmentWeak control environment Weak monitoring controlsWeak monitoring controls Significant personnel changesSignificant personnel changes Weak IT controlsWeak IT controls
May 14, 2008May 14, 2008 6161
Procedures to be PerformedProcedures to be Performed
Substantive Procedures (SP)Substantive Procedures (SP)• To reiterate, regardless of the assessed RMM, To reiterate, regardless of the assessed RMM,
the auditor should design and perform the auditor should design and perform substantive procedures for all relevant substantive procedures for all relevant assertions related to each material class of assertions related to each material class of transactions, account balance and disclosuretransactions, account balance and disclosure
• SP should include the following regarding the SP should include the following regarding the financial statement reporting process:financial statement reporting process:
Reconciling the financial statements (including notes) Reconciling the financial statements (including notes) to the underlying accounting recordsto the underlying accounting records
Examining material journal entries and other Examining material journal entries and other adjustments made when preparing the financial adjustments made when preparing the financial statementsstatements
May 14, 2008May 14, 2008 6262
Procedures to be PerformedProcedures to be Performed SP (Continued)SP (Continued)
• SP includes tests of details and substantive analytical SP includes tests of details and substantive analytical proceduresprocedures
Tests of detailsTests of details• Ordinarily applicable to obtain audit evidence with regards to Ordinarily applicable to obtain audit evidence with regards to
relevant assertions about account balances, including relevant assertions about account balances, including existence and valuationexistence and valuation
Substantive analytical proceduresSubstantive analytical procedures• Ordinarily applicable to large volumes of transactions that tend Ordinarily applicable to large volumes of transactions that tend
to be predictable over timeto be predictable over time
• The auditor’s determination of SP are affected by The auditor’s determination of SP are affected by whether evidence has been obtained about the whether evidence has been obtained about the operating effectiveness of controlsoperating effectiveness of controls
• The greater the RMM, the less detection risk that can be The greater the RMM, the less detection risk that can be acceptedaccepted
Result: Greater the extent of SPResult: Greater the extent of SP
May 14, 2008May 14, 2008 6363
Procedures to be PerformedProcedures to be Performed
SP (Continued)SP (Continued)• Significant risksSignificant risks
Auditor should design and perform SP that Auditor should design and perform SP that specifically respond to the risk(s)specifically respond to the risk(s)
Perform tests of details, or a combination of Perform tests of details, or a combination of tests of details and analytical procedurestests of details and analytical procedures
• Analytical procedures alone (as it relates to Analytical procedures alone (as it relates to significant risks) is not sufficient appropriate audit significant risks) is not sufficient appropriate audit evidenceevidence
May 14, 2008May 14, 2008 6464
Procedures to be PerformedProcedures to be Performed
Adequacy of Presentation and Adequacy of Presentation and DisclosureDisclosure• Auditor should perform audit procedures Auditor should perform audit procedures
to evaluate whether the overall to evaluate whether the overall presentation of the financial statements, presentation of the financial statements, including the related disclosures, are in including the related disclosures, are in accordance with GAAPaccordance with GAAP
May 14, 2008May 14, 2008 6565
Procedures to be PerformedProcedures to be Performed
Evaluating the Sufficiency and Evaluating the Sufficiency and Appropriateness of the Audit Evidence Appropriateness of the Audit Evidence ObtainedObtained• Based on audit procedures performed, Based on audit procedures performed,
evaluate whether the assessments of the RMM evaluate whether the assessments of the RMM remain appropriateremain appropriate
• Audit evidence obtained may cause the auditor Audit evidence obtained may cause the auditor to modify the nature, timing and extent of to modify the nature, timing and extent of proceduresprocedures
• The auditor should not assume that instances The auditor should not assume that instances of fraud and/or errors are isolatedof fraud and/or errors are isolated
May 14, 2008May 14, 2008 6666
Procedures to be PerformedProcedures to be Performed
• The sufficiency and appropriateness of audit The sufficiency and appropriateness of audit evidence are a matter of professional judgment evidence are a matter of professional judgment and is influenced by factors such as:and is influenced by factors such as:
Persuasiveness of audit evidencePersuasiveness of audit evidence Understanding of the entity, including ICUnderstanding of the entity, including IC Effectiveness of management’s responses and Effectiveness of management’s responses and
controls to address the riskscontrols to address the risks Source and reliability of informationSource and reliability of information Significance of the potential misstatement in the Significance of the potential misstatement in the
relevant assertion and the likelihood of material relevant assertion and the likelihood of material misstatement (individually and collectively)misstatement (individually and collectively)
May 14, 2008May 14, 2008 6767
Audit DocumentationAudit Documentation
What should the auditor document?What should the auditor document?• In a nutshell, EVERYTHING!!In a nutshell, EVERYTHING!!
The manner that audit evidence is The manner that audit evidence is documented is based on auditor’s documented is based on auditor’s judgmentjudgment
SAS 103, SAS 103, Audit DocumentationAudit Documentation, , provides general guidance and provides general guidance and common techniquescommon techniques
May 14, 2008May 14, 2008 6868
Audit DocumentationAudit Documentation Documentation specificsDocumentation specifics
• Key elements when obtaining understanding of Key elements when obtaining understanding of entity and its environment, including ICentity and its environment, including IC
• Audit team discussionAudit team discussion• RMM at the financial statement and relevant RMM at the financial statement and relevant
assertion levelsassertion levels• Significant audit risksSignificant audit risks• Overall responses to RMMOverall responses to RMM• Nature, timing and extent of further audit Nature, timing and extent of further audit
proceduresprocedures• The linkage of the procedures performed to the The linkage of the procedures performed to the
risks at the relevant assertion levelrisks at the relevant assertion level
May 14, 2008May 14, 2008 6969
Wrap-upWrap-up
Culture changeCulture change Most of this is not new; but the approach Most of this is not new; but the approach
may change.may change.• How much will vary dependent upon your How much will vary dependent upon your
current approachcurrent approach Partners and managers should be involved Partners and managers should be involved
early in the processearly in the process• This will assist with properly identifying RMM This will assist with properly identifying RMM
and designing the nature, timing and extent of and designing the nature, timing and extent of further audit proceduresfurther audit procedures
May 14, 2008May 14, 2008 7070
Wrap-upWrap-up
More than likely, you will not get it More than likely, you will not get it right the first timeright the first time
Continued education of audit staffContinued education of audit staff• This will be critical in achieving an This will be critical in achieving an
effective and efficient auditeffective and efficient audit Educate your clientsEducate your clients
• Costs will need to be passed onCosts will need to be passed on SAS 112 considerationsSAS 112 considerations
May 14, 2008May 14, 2008 7171
QuestionsQuestions
Anyone, anyone, Bueller?Anyone, anyone, Bueller?