Slide Heading

Slide HeadingAGA Winter Seminar

Auditing Standards UpdateJanuary 10-11, 2013

Jerry E. Durham, CPA, CGFM, CFEDivision of Local Government Audit

Auditing Standards

• Two different types of Standards:

– GASB Standards = GAAP• How do I report numbers on the Financial

Statements

– Auditing Standards• How do I perform the audit of the numbers

2

Auditing Standards

• Auditing Standard Setters:– How many?

• 1• 2• 3• 4• 5

3

Auditing Standards

• Standards Setters:– AICPA/ASB = Generally Accepted Auditing

Standards = GAAS– GAO = Government Auditing Standards =

Yellow Book = GAGAS– OMB = Single Audit Standards = A-133

Standards

4

Auditing Standards

• Standards Setters (cont’d):– IFAC/IAASB = International Audit

Standards = ISAs??– PCAOB/SEC = Standards for Publicly

Traded Companies = AS??

5

Auditing Standards

• Why have Standards?– What if an inch was not an inch or a

pound was not a pound?– What if a size 10 was really a size 2?– What if CPAs could perform audits any

way they wanted to?– Many auditing standards are driven by

audit failures.

6

Auditing Standards

• History:

– Prior to 1917, Verification Audits of the Balance Sheet without standards.

– 1917-18, First Standards for Balance Sheet Audits (FTC and FRB) “Approved Methods for the Preparation of Balance-Sheet Statements” by AIA.

7

Auditing Standards

• History:

– 1929, “Verification of Financial Statements” which included the income statement (i.e. Financial Statements)

– 1936, Outline of examination of financial statements of a small or moderate size company, “Examination of Financial Statements by Independent Public Accountants”. (i.e. “Examination” rather than “Verification”)

8

Auditing Standards

• History:– 1939, “Extensions of Auditing Procedure”,

included Statement No. 1 of the Committee on Auditing Procedure, guide auditors in using judgment.

– 1941, “Statements on Auditing Procedure”– 1951, 24 Statements were issued in a

“Codification of Statements on Auditing Procedure”

9

Auditing Standards

• History:– 1954, “Generally Accepted Auditing

Standards – Their Significance and Scope” was published which changed the focus to “Standards” as opposed to “Procedures”.

– 1963, “Statement on Auditing Procedure No. 33” was issued. It consolidated all previous standards and procedures.

10

Auditing Standards

• History:– 1972, Statement on Auditing Standards

“(SAS) No. 1, Codification of Auditing Standards and Procedures”.

– 1978, Auditing Standards Board was created.

– 2002-2004, Sarbanes-Oxley Act was passed and the AICPA officially recognized PCAOB’s authority for publicly traded companies.

11

Auditing Standards

• History:– 2011, the ASB issued SAS No. 122,

Statements on Auditing Standards: Clarification and Recodification (already amended)

– More to come, already up to SAS 126.

12

Auditing Standards

• Just an Opinion:– Mark Funkhouser, former Kansas City

Auditor and Mayor, now Director of Governing Institute said, auditors know how to audit, just do what you know is right (paraphrased)

– My question? Do you think the standards hinder us from doing that?

13

Auditing Standards

• Just an Opinion:– Bottom line, we must have standards or

our audits have little meaning to “professional” and “other” users of our financial statements.

– But how do you do that with so many standard setters?

– You have to be good at blocks!

14

Auditing Standards

?

A-133 requires a Yellow Book audit and adds to the standards required

by the Yellow Book.

The Yellow Book incorporates the SASs by reference and adds to

those standards.

The ASB establishes the SASs. SAS 117 Specifically deals with Compliance (A-133)

Audits

15

16

Yellow Book

17

Must & Should Word Count

Chapter 2007 YB 2011 YBMust Should Must Should

1 0 0 0 02 3 11 3 123 17 60 5 844 12 88 0 685 9 68 0 626 6 67 6 687 1 59 1 61

Appendix 0 1 0 1TOTALS 48 354 15 356

Yellow Book

• Generally Accepted Government Auditing Standards (GAGAS) incorporates by reference the AICPA Statements on Auditing Standards (SAS).

• GAGAS includes additional standards for Financial Audits and Attestation Engagements. GAGAS establishes Performance Audit Standards for Governments.

18

Yellow Book

• GAGAS does not cover nonaudit services, which are defined as professional services other than audits or attestation engagements. Therefore, auditors do not report that the nonaudit services were conducted in accordance with GAGAS.

19

Chapter 3

General Standards

20

Independence

Professional Judgment

Competence

Quality Control and Assurance

21

General Standards

General Standards

Chapter 3

Independence

22

Independence

• In all matters relating to the audit work, the audit organization and the individual auditor must be independent.– Independence of Mind

• The state of mind that permits the performance of an audit without being affected by influences that compromise professional judgment, allowing the individual to act with integrity and exercise objectivity and professional scepticism.

23

Independence

– Independence in Appearance• The absence of circumstances that would cause a

reasonable and informed third party, having knowledge of the relevant information, to reasonably conclude that the integrity, objectivity, or professional scepticism of an audit organization or member of the audit team had been compromised.

24

Independence

• Conceptual Framework for making independence decisions.

• Requirements and guidance for audit organizations that are structurally located within the entities they audit.

• Requirements and guidance for auditors performing nonaudit services.

• Requirements for and guidance on documentation of independence.

Standard Consists of Four

Interrelated

Sections:

25

26

Independence

• New approach combines a conceptual framework with certain rules (prohibitions)– Outcome generally consistent with the

International Federation of Accountants (IFAC) and AICPA

• Certain prohibitions remain– Generally consistent with Rule 101 AICPA

• If a threat, but not prohibited– Apply the conceptual framework

26

27

Independence

Threats could impair independence– Do not necessarily result in an independence

impairment

Safeguards could mitigate threats – Eliminate or reduce to an acceptable level– Not all threats can be eliminated

28

Independence

Conceptual Framework•Allows the auditor to assess unique circumstances

•Incorporates the familiar categories from 2007 YB

– Personal Impairments – External Impairments– Organizational Impairments– Two Overarching Principles:

• Can’t assume management responsibilities• Can’t audit your own work

29

Independence

Seven Categories of Threats

1. Self-interest threat2. Self-review threat3. Bias threat4. Familiarity threat5. Undue influence threat 6. Management participation threat7. Structural threat

Independence• Conceptual Framework Approach (cont’d)

• Self-interest threat = the threat that a financial or other interest will inappropriately influence an auditor’s judgment or behavior.

• Self-interest examples

30


• Self-review threat = the threat that an auditor (organization) that has provided nonaudit services will not appropriately evaluate the results of previous judgments made or services performed when forming a judgment significant to an audit.

• Self-review examples

31


• Bias threat = the threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective

• Bias examples

32


• Familiarity threat = the threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective

• Familiarity examples

33


• Undue influence threat = the threat that external influences or pressures will impact an auditor’s ability to make independent and objective judgments

• Undue influence examples• Undue influence examples 2

34


• Management participation threat = the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit

• Management participation examples• Management participation examples 2

35


• Structural threat = the threat that an audit organization’s placement within a government entity, in combination with the structure of the government entity being audited, will impact the audit organization’s ability to perform work and report results objectively (Paragraphs 3.28, 3.29, 3.30)

• Structural examples

36


• Structural threat is mitigated by:– The audit organization is placed within a different

branch of government from that of the audited entity.– Head of the audit organization is appointed by a

legislative body, subject to removal by a legislative body, and reports the results of audits to and is accountable to a legislative body.

– Other statutory protections. (See 3.30)

37


• Management participation/structural threat is created by:– An audit organization’s principal serving as a voting

member of an entity’s management committee or board of directors, making policy decisions that affect the future direction and operation of an entity’s programs, developing or approving programmatic policy, authorizing entity transactions.

38

40

Independence

GAO will retire current Government Auditing Standards: Questions and Answers to Independence Standard

Questions guidance

41

Independence

Question 46 in the Yellow Book Q & A will no longer be available for demonstrating independence under the yellow book (dealt with preparing financial statements)

42

Independence

• Certain nonaudit services may be permitted:

– First, determine if there is a specific prohibition

– If not, the auditor should assess the nonaudit service’s impact on independence using the conceptual framework

43

Independence

– Management should take responsibility for nonaudit services performed by the auditors

– Auditors should document their understanding with management regarding the nonaudit service

– Auditors should assess and document whether management possesses suitable skill, knowledge, or experience to oversee the nonaudit service (SKE)

44

Independence

Preparing F/S May be permissible provided• Management possesses suitable

– Skills,– Knowledge, “or”– Experience To evaluate the adequacy and results of the services

performed

Consistent with AICPA ET 101–3

Otherwise no safeguard could reduce the threat to an acceptable level

45

Independence Bookkeeping Services May be performed

provided the auditor does not:– Determine or change journal entries, account

codings or classifications for transactions, or other accounting records without obtaining client approval

– Authorize or approve transactions– Prepare source documents– Make changes to source documents without

client approval

Consistent with AICPA ET 101-3

46

Independence • Division of Local Government Audit• 2011 Yellow Book• Threats to Independence and Safeguards to the Threats

AICPA Safeguards ExamplesAICPA SKE ExamplesAICPA Case Study Form 105, Safeguards to Independence

Independence• Providing Nonaudit Services

• Crucial Point: The individual designated to oversee nonaudit services is not required to possess the expertise to perform or reperform the nonaudit services. (Paragraph 3.34)

47

48

PPC Analysis Before and After

2007 Yellow Book – PPC Analysis

49


• Before: 2007 Yellow Book

• Ethics Interpretation 101-3 allows the Government to designate an individual who possesses SKE to oversee nonattest services.

• However, Possessing SKE to over see a service requires a lower level of technical knowledge than the competence criteria in SAS 115.

• Practitioners Publishing Co. Scan

50


• After: 2011 Yellow Book • Same!• Ethics Interpretation 101-3 allows the

Government to designate an individual who possesses SKE to oversee nonattest services.

• However, Possessing SKE to over see a service requires a lower level of technical knowledge than the competence criteria in SAS 115.

51

Peer review will be looking!

Conceptual Framework decisions are based on your professional judgment.

Document, Document, Document!!!!!!!!!!!!!

Performance Audit Changes:

• The discussion of validity as an aspect of the quality of evidence has been revised to indicate that it is the extent to which evidence is a meaningful or reasonable basis for measuring what is being evaluated. In other words, validity refers to the extent to which evidence represents what it is purported to represent. (6.60b)

• The discussion of the sufficiency and appropriateness of computer-processed information now indicates that the assessment of the sufficiency and appropriateness of computer-processed information includes considerations regarding the completeness and accuracy of the data for the intended purposes. (6.66)

• The auditor’s responsibilities for communicating identified internal control deficiencies that are not significant to the audit have been clarified. Related documentation requirements and those related to noncompliance with provisions of contracts or grant agreements or abuse that are not significant to the audit have been removed. (7.19, 7.22)

Performance Audit Changes:

• The fraud reporting requirement is now limited to occurrences that are significant within the context of the audit objectives (7.21), with a requirement to communicate in writing other instances of fraud that warrant the attention of those charged with governance. (7.22)

• The requirement that audit organizations develop policies to address requests by outside parties to obtain access to audit documentation has been removed. (2007 GAGAS, 7.84)

• Early communication of deficiencies has been added as a consideration auditors may follow in the course of the performance audit. (6.78)

Yellow Book

Peer Review Excuses for Not Complying

Reporting on the Audit• Chapter Three Test:

• Auditors must be independent in _______ and _______ .• Auditors should apply the conceptual framework to (a)

identify threats; (b) evaluate the significance of threats; (c) apply safeguards. True or False ?

• Which of the following is not a threat to independence: (a) Self-interest; (b) Self-review; (c) Bias; (d) Familiarity; (e) Undue Influence; (f) Documentation; (g) Management Participation; (h) Structural ?

• All threats are equally significant True or False ?• With proper documentation, Auditors can eliminate any

identified threat True or False ?

•

55

Reporting on the Audit• Chapter Three Test (cont’d):

• Management must designate someone to oversee nonaudit services that has _____, ________, or __________ and __________ of the nonaudit service sufficiently to oversee them.

• The person designated to oversee nonaudit services does not have to possess the expertise to _________ or _________ the nonaudit service.

• Auditors should document management’s ability to effectively oversee nonaudit services True or False ?

• If a threat cannot be eliminated, auditors should withdraw from the audit True or False ?

•

56

57

Questions?

GAAS

Clarity Standards

Clarity Standards• Statement on Auditing Standards:

Clarification and Recodification• SAS 122

• This standard contains 39 clarified SASs and supersedes all outstanding SASs through SAS No. 121 except SAS No. 51 (see SAS No. 124 below); No. 59; No. 65; No. 87 (see SAS No. 125 below); and Nos. 117–120. This standard also withdraws SAS No. 26.

59

Clarity Standards• New Clarified Standards:• SAS 123 – “Omnibus Statement on Auditing

Standards – 2011”• SAS 124 – “Financial Statements Prepared in

Accordance with a Financial Reporting Framework Generally Accepted in Another Country”

• SAS 125 – “Alert that Restricts the Use of the Auditor’s Written Communication”

• SAS 126 – “The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern”

• SAS 127 – “Omnibus Statement on Auditing Standards – 2013”

60

Clarity Standards• “The goal of the Clarity Project is to make

generally accepted auditing standards easier to read, understand, and apply.” As part of the project, the standards were also converged with standards issued by IAASB.

• “All AU Sections have been modified.” (AU-C)• “The revisions to GAAS, although extensive, do

not create many substantial requirements to existing requirements.”

• “Redrafting brings both significant and subtle changes”

61

Clarity Standards• But, if you think not much has changed that is of

any importance or relevance, THINK AGAIN!

• Appendix B to SAS 122 divides the new AU-C Sections into:– Substantive Changes– Primarily Clarifying Changes

62

Clarity Standards• Changes in Terminology – New Terms:

• Applicable financial reporting framework replaces GAAP as the assumed basis of accounting.

• “Emphasis-of-matter” and “other-matter” paragraphs replace “explanatory paragraphs”.

• Group engagement partner and component auditor replace principal auditor and other auditor.

• Unmodified Opinion replaces Unqualified Opinion• Modified Opinion means a Qualified, Adverse, or

Disclaimer of Opinion.

63

Clarity Standards

Substantive Changes

64

Clarity Standards• Consideration of Laws and Regulations (AU-C 250)

– Correspondence with Licensing or Regulatory Authorities• Communicating Internal Control Related Matters (AU-C

265)– Communicate other deficiencies in internal control (i.e. Beyond

Material Weaknesses and Significant Deficiencies) Include in any written report that no material weaknesses were identified.

– Include an explanation of the potential effects of the Material Weaknesses and Significant Deficiencies identified.

• Related Parties (AU-C 550)– Shifts audit to a risk based approach.

65

Clarity Standards• Group Audits (AU-C 600)

– Guidance has been significantly expanded– Terminology has been entirely changed– Certain things the Engagement Partner must do? Who is the

engagement partner?– Acceptance and Continuance focus has changed– Uses a Risk based approach based on the Risk Assessment

Standards– Understanding the Component Auditor– Determination of Materiality for the Group as a whole and for

the component– Communication with the Component Auditor and Those

Charged with Governance• Auditor’s Reports (AU-C 700, 705 and 706)

66

Opinion (Basis for qualified, adverse, or disclaimer)

Emphasis of Matter• Matters appropriately

presented or disclosedOther Matter• To understand audit matters

Headings and Subheadings

Other auditor reporting responsibilities

Management’s Responsibilities

Clarity Standards• Independent Auditor’s Report

• The Governing Body • [Entity Name]

• Report on the Financial Statements

• We have audited the accompanying financial statements of the governmental activities, the business-type activities, the aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of [Entity Name], as of [Month XX, 20X2] and for the year then ended and the related notes to the financial statements, which collectively comprise [Entity Name]’s basic financial statements as listed in the table of contents.

68

Clarity Standards• Management’s Responsibility for the Financial

Statements

• [Entity Name]’s management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

69

Clarity Standards• Auditor’s Responsibility

• Our responsibility is to express opinions on these financial statements based on our audit. We conducted our audit in accordance with auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

• An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control.3 Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.

• We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions.

70

Clarity Standards

• When the auditor issues an opinion other than unqualified, the paragraph detailing the reason for the modified report is still required immediately preceding the opinion paragraph, but now must have an appropriate heading:

• Basis for Qualified Opinion; or• Basis for Adverse Opinion; or• Basis for Disclaimer of Opinion

71

Clarity Standards• Opinion • In our opinion, the financial statements referred to above

present fairly, in all material respects, the respective financial position of the governmental activities, the business-type activities, the aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of [Entity Name], as of [Month XX, 20X2], and the respective changes in financial position and, where applicable, cash flows thereof for the year then ended in accordance with accounting principles generally accepted in the United States of America (GAAP).

72

Clarity Standards• Other Matters

• In accordance with Government Auditing Standards, we have issued our report dated [Month XX, 20X2] on our consideration of [Entity Name]’s internal control over financial reporting and our tests of its compliance with certain provisions of laws, regulations, contracts and grant agreements, and other matters. The purpose of that report is to describe the scope of our testing of internal control over financial reporting and compliance and the results of that testing, and not to provide an opinion on the internal control over financial reporting or on compliance. That report is an integral part of an audit performed in accordance with Government Auditing Standards and should be considered in assessing the results of our audit.

73

Clarity Standards• Other Matters • [Identify the applicable financial reporting framework (for example, accounting

principles generally accepted in the United States of America)] require that [identify the included required supplementary information, such as management’s discussion and analysis and budgetary comparison information] be presented to supplement the basic financial statements. Such information, although not a part of the basic financial statements, is required by [identify designated accounting standard setter, such as the Governmental Accounting Standards Board], who considers it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic financial statements, and other knowledge we obtained during our audit of the basic financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with evidence sufficient to express an opinion of provide any assurance.

74

Clarity Standards• Other Matters • Our audit was conducted for the purpose of forming opinions on the financial statements that

collectively comprise [Entity Name]’s basic financial statements. The [identify accompanying supplementary information, such as the combining and individual non-major fund financial statements] are presented for purposes of additional analysis and are not a required part of the basic financial statements. Such information is the responsibility of management and was derived from and relates directly to the underlying accounting and other records used to prepare the financial statements. The information has been subjected to the auditing procedures applied in the audit of the financial statements and certain additional procedures, including comparing and reconciling such information directly to the underlying accounting and other records used to prepare the financial statements or to the financial statements themselves, and other additional procedures in accordance with auditing standards generally accepted in the United States of America. In our opinion, the information is fairly stated in all material respects in relation to the financial statements as a whole.

• Our audit was conducted for the purpose of forming opinions on the financial statements that collectively comprise [Entity Name]’s basic financial statements. The [identify relevant other information, such as the introductory and statistical section] is presented for purposes of additional analysis and is not a required part of the basic financial statements. Such information has not been subjected to the auditing procedures applied in the audit of the basic financial statements and, accordingly, we do not express an opinion or provide any assurance on it.

75

Clarity Standards• Report on Other Legal and Regulatory Requirements

• [The form and content of this section of the auditor’s report will vary depending on the nature of the auditor’s other reporting responsibilities.]

• [Signature] • [Auditor’s city and state] • [Date]

76

Clarity Standards

Primarily Clarifying Changes

77

Clarity Standards

• “Primarily clarifying changes” are changes that are intended to explicitly state what may have been implicit in extant standards. These changes may not have a substantial impact but may result in adjustments to the timing and responsibilities of auditors or their clients.

78

Clarity Standards• Terms of Engagement (AU-C 210)

– Requires a written engagement letter (for each new engagement) and a reminder (written or oral) for recurring audits and to document that understanding.

– Financial Reporting Framework (Obtain mgmt’s agreement and acknowledgement of its responsibilities such as: selecting the appropriate financial reporting framework; establishing and maintaining internal controls; and allowing unrestricted access to employees.)

– Imposed limitation on audit scope, or financial framework not acceptable, or mgmt will not acknowledge its responsibility for selecting the financial framework, then decline the audit unless required by law.

79

Clarity Standards• Using a Service Organization (AU-C 402)

– Section 402 contain guidance “only” for “user” auditors. – A user organization is now known as a user “entity”.– A user auditor is permitted to refer to the work of a service

auditor report to explain a modification of the user auditor’s report (but still cannot make reference in an unmodified opinion)

– A user auditor is required to inquire of management of the user entity about whether the service organization has reported to the user entity any fraud, noncompliance with laws or regulations or uncorrected misstatements.

80

Clarity Standards• Audit Evidence (AU-C 501)

– Requires the auditor to seek direct communication with the entity’s lawyers only if the auditor assesses a risk a material misstatement regarding the litigation or claim or when audit procedures performed indicate that material litigation or claims may exist. Auditors must document the basis for any determination “not” to seek direct communication with the entity’s legal counsel.

– However, as a practical matter, most auditors will continue to communicate with the entity’s attorney(s).

81

Clarity Standards• External Confirmations (AU-C 505)

– “Written” Confirmations are required. (the extant standard requires that an oral confirmation should be documented, implying that it was acceptable to use oral confirmations)

– An oral confirmation does not meet the definition of an external confirmation.

– Oral confirmations may be considered part of alternative procedures performed to obtain sufficient appropriate audit evidence.

– The definition of an external confirmation includes audit evidence obtained by electronic or other medium provided the information comes from the third party.

– The presumptively mandatory requirement to confirm accounts receivable is found in AU-C 330.

82

Clarity Standards• Opening Balances on Initial and Reaudit Engagements

(AU-C 510)– Makes clear that reviewing a predecessor auditor’s

documentation “cannot” be the only procedure performed to obtain sufficient audit evidence regarding opening balances.

– Many auditors have the perception under the extant standard that reviewing the predecessor auditor’s audit documentation is all that needs to be done to obtain sufficient appropriate audit evidence.

– Auditors must determine whether:• Opening balances contain material misstatements• Accounting policies have been consistently applied between current year

and prior financial statements.

83

Clarity Standards

• Using the Work of An Auditor’s Specialist (AU-C 620)– The clarified standard includes in-house audit firm specialists

and requires incremental documentation.– The extant standard specifically scopes out the use of

specialists employed by the audit firm.

84

Clarity Standards

• Special Purpose Frameworks (AU-C 800)– Special purpose frameworks such as Cash, Tax, Regulatory, or

Contractual bases of Accounting are commonly referred to as OCBOAs.

– The term OCBOA is replaced with the term “Special Purpose Framework”

– The clarified standard requires several procedures when a “Special Purpose Framework” is utilized.

85

Clarity Standards

• Restricted Use Alert (AU-C 905)– Clarified standard is consistent with the extant standard except

when audit engagement is also performed in accordance with “Government Auditing Standards”, and the written communication pursuant to the engagement is required by law or regulation to be made publicly available.

– In this situation, the alert language describes the purpose of the communication and states that the communication is not intended to be and should not be used for any other purpose. No specified parties are identified in type of alert!

86

Clarity Standards

• Restricted Use Alert (AU-C 905)

New Paragraph Language:• The purpose of this [report, letter, presentation, or communication] is solely to

[describe the purpose of the auditor's written communication, such as to describe the scope of our testing of internal control over financial reporting and compliance, and the result of that testing, and not to provide an opinion on the effectiveness of the entity's internal control over financial reporting or on compliance]. This [report, letter, presentation, or communication] is an integral part of an audit performed in accordance with Government Auditing Standards in considering [describe the results that are being assessed, such as the entity's internal control over financial reporting and compliance]. Accordingly, this [report, letter, presentation, or communication] is not suitable for any other purpose.

• Notice: No specified parties.• Same type of language for A-133 Reports.

87

Clarity Standards

• Restricted Use Alert (AU-C 905)

Old Paragraph Language:This report is intended solely for the information and use of management, (Identify those charged with governance such as: the County Mayor/Executive, Road/Highway Superintendent, director of schools, County Commission, Highway Commission, Board of Education), others within Typical County, federal awarding agencies and pass-through entities (delete reference to pass-through entities if not applicable) and is not intended to be and should not be used by anyone other than these specified parties.

88

Clarity Standards

• SAS 126, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern– Continuation of an entity as a going concern is assumed

absence significant information to the contrary– Auditor should evaluate whether there is substantial doubt for a

reasonable period of time (defined as one year)– This evaluation is based audit procedures planned and

performed to achieve the audit objectives (it is not necessary to design audit procedures solely to identify conditions or events, that taken in aggregate, indicate substantial doubt

– The auditor should consider management’s plans to mitigate the adverse effects of conditions or events creating substantial doubt

– Adequately disclosed89

Clarity Standards

• SAS 126, “The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern” – Obtain written representations from management– Include the words “substantial doubt” and “going concern” in

the auditor’s report in an emphasis-of-a-matter paragraph– If you decide to disclaim, the no going concern emphasis-of-a

matter paragraph– Communicate with those charged with governance

• Nature of conditions or events• Possible effects on the financial statements• Effects on the auditor’s report

90

Clarity Standards

• SAS 126, “The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern”

• Going Concern Emphasis-of-a-matter paragraph:

• Emphasis of Matter Regarding Going Concern• The accompanying financial statements have been prepared assuming that the

Company will continue as a going concern. As discussed in Note X to the financial statements, the Company has suffered recurring losses from operations and has a net capital deficiency that raise substantial doubt about its ability to continue as a going concern. Management's plans in regard to these matters are also described in Note X. The financial statements do not include any adjustments that might result from the outcome of this uncertainty. Our opinion is not modified with respect to this matter.

91

92

Questions?

Proposed Changes To Single Audit

Proposals• Reform of Federal Policies Relating to Grants and

Cooperative Agreements; Cost Principles and Administrative Requirements (Including Single Audit Act)

• Released in the Federal Register February 28, 2012 • Result of over a year of work by federal / state / local / IG

task force ordered by E.O. 13520 – Goals – Reduce fraud, waste and abuse – Increase cross-collaboration – Streamline reporting and adjudication of findings – Cut rules that are burdensome, ineffective etc.

94

Proposals

• Proposals fall under 3 Sections:

• Section A – reforms to A-133 and the Single Audit Act

• Section B – reforms to cost accounting principles – A-87 (also A-21 / A-122)

• Section C- reforms to the Common Rule (A-102)

95

Proposals


• Section A – reforms to A-133 and the Single Audit Act

96

A-133 Proposals

• Audit resolution and oversight resources will focus on higher dollar, higher risk awards – Entities receiving less than $1 Million in federal awards = NO

Single Audit required – Entities receiving greater than $1 Million but less than $3 million

in federal awards = More focused / targeted audit – Once major program determination made, audit only covers:

• Allowable / unallowable costs • Area at federal agency discretion, but targeting fraud, waste, and abuse.

97

A-133 Proposals

• Entities receiving greater than $3 million • Full single audit - BUT

– Cross – cutting requirements are gone. – Audit focused on Fraud, Waste, Abuse, and Improper payments – Focus is on universal requirements – proper stewardship of

federal funds • Practical Considerations for Auditors:

– Increased testing and sample sizes – Lower levels of materiality

98

A-133 Proposals• Possible Compliance Requirements: 1. Allowable or unallowable activities and costs, 2. Eligibility 3. Reporting 4. Selection of sub-recipients and sub-recipient monitoring 5. Special tests and provisions 6. Period of availability of Federal funds, 7. Compliance of procurement with suspension and

debarment policies 8. Davis / Bacon could be gonePreviously, there were 14 that auditors had to consider.

99

A-133 Proposals

Practical Considerations for Auditors:

• Less compliance requirements • Less audit burden • Use more of a risk based approach • Concentration will be on audit findings resolution

100

A-133 Proposals• Audit follow up may change:

• Federal agencies will be required to designate a single federal official to oversee audit resolution

• Federal agencies must implement metrics • Timeliness of report submission • Number of audits without an unqualified opinion • Number of repeat findings • Cooperative resolution between agencies and with

auditees pushed • Proactive approach on resolving audit issues

101

A-133 Proposals• Sub-recipient monitoring:

• Federal awarding agencies are responsible for coordinating additional audits of a recipient entity

• Ensuring that audits are coordinated across Federal agencies should reduce number of sub-recipients for which pass-through entities engage in follow- up efforts that could duplicate the Federal efforts.

• Federal agencies would be required for follow-up – not pass-through entities

102

Proposals


• Section B – reforms to cost accounting principles – A-87 (also A-21 / A-122)

103

A-87 Proposals• Some give and take features:

• Indirect (‘‘facilities and administrative’’) costs – proposal is for flat rates instead of negotiated rates. – Option 1- Mandatory flat rate discounted from negotiated rate

• Burden reduction in compliance and reduction of indirect costs – Option 2 – Discounted flat or negotiated rate

• Transition period to flat rate of 4 years with minimal documentation OR • Raised to negotiated rate with full documentation

104

A-87 Proposals• Salary / Maintenance of Effort Reform:

– Existing pilots used or development of new pilots to accountably document the allowability and allocability of salaries and wages charged to Federal awards as direct costs

• Directly allocable administrative support in higher education may be taken as a direct cost

• Cost of certain computer devices would be allowable as a supply cost

• Threshold probably involved

105

A-87 Proposals

• “Recycling” ban on depreciation may be lifted – Use of recovered costs from depreciation are sometimes used

for administrative costs • Certain IT costs may be more allowable than now –

especially for grants management systems • Improper payment recovery costs would be now

allowable

106

Proposals


• Section C- reforms to the Common Rule (A-102)

107

A-102 Proposals

• COMMON APPLICATION COMING for federal grants?

• Grants would now be graded on proposal’s merit and each applicant’s financial risk

• 90 day notice public required for all funding opportunities in a standard format

108

Future?

• OMB analyzing the feedback received on Advance Notice over next 4-5 months

• Proposed regulatory changes may be released for comment before the end of the calendar year – Revisions to OMB Circular A-133 – Revisions to the OMB Cost Principles (A-21, A-87, A-122) – Revision to Administrative Requirements (A-110, Common Rule)

• No plans that we are aware of to amend the Single Audit Act

• GAO to look at audit quality?

109

Service Organization Control Reporting

SSAE No. 16

From SAS 70 to SSAE 16

111


• Service auditor reporting has evolved over a 40+ year period

• SAS 70 became a de facto global standard• SAS 70 is viewed as a generic term• However, SAS 70 reports are being used in

ways for which they were never intended – they have been used as a form of certification or even proof of security or compliance.

112

Migration to a new standard

• General convergence of US and International Standards

• The International Auditing and Assurance Standards Board (IAASB) included service auditor reporting on its agenda in 2008, resulting in the development of an international standard

• The U.S. Auditing Standards Board agreed to conform to the IAASB approach

113


• IAASB has approved International Standard on Assurance Engagements (ISAE) No. 3402– US: SSAE 16

• New standard will be effective for reports covering periods ending on or after June 15, 2011

• Supersedes SAS 70

114

SSAE 16 – How does it compare to SAS 70

115


WHAT HAS NOT CHANGED:• Purpose & intended use of the report

– Primary purpose – provide information to the user entities financial statement auditors

– Focus is on controls at service organizations likely to be relevant to user entities’ internal control over financial reporting

– Intended for use by: • Management of the service organization• Entities that used the service organization during the period

(user entities) – includes indirect or downstream users• Financial Statement auditors of those user entities

116


WHAT HAS NOT CHANGED:• Core elements of the report

– Auditor’s Opinion– Management Description– Detailed Tests of Controls ( 2 types of reports)– Other Relevant Information

117


WHAT HAS NOT CHANGED:• Service Auditor’s Opinion

– Fair presentation of the description of the service organization’s system

– Suitability of the design of the service organization’s controls relative to the control objectives

– For type 2 engagements, operating effectiveness of the service organization’s controls relative to the control objectives

118


WHAT HAS NOT CHANGED:• Options for handling subservice organizations

– Carve out method– Inclusive method

119

WHAT HAS CHANGED:• Audit Standard vs. Attestation Standard

• An Attestation Engagement is:– An examination, a review, or an agreed-upon

procedures report on subject matter, or an assertion about the subject matter that is the responsibility of another party

– SSAE 16 only addresses examination engagements

120

WHAT HAS CHANGED:• Significant Terminology changes

– No longer a “SAS 70” report• SSAE 16• Service Organization Control (SOC 1) Report

– Service Organization’s “System”• Uses a broad definition of system• Includes policies & procedures designed, implemented and

documented to provide a service to user entities– Criteria

• Standards or benchmarks to present the subject matter and against which the practitioner evaluates the subject matter

121

WHAT HAS CHANGED:• New requirements impacting management

– Management must provide a written assertion for inclusion on the report

– Management must include the criteria used in making these assertions

– Management must have a reasonable basis for its assertion

– Assertion Page 1– Assertion Page 2– Assertion Page 3

122

WHAT HAS CHANGED:Management’s Assertion - A written assertion about whether in all material respects, and based on suitable criteria that:

– The description fairly presents the system that was designed and implemented throughout the period

– Controls were suitably designed throughout the period to achieve the control objectives

– Those controls operated effectively throughout the period to achieve the control objectives

123

WHAT HAS CHANGED:• Minimum criteria for evaluating:

– Fairness of presentation relative to the description of the system

• Presents how the system was designed and implemented• Includes relevant changes during the period• Does not omit or distort relevant information

124


– Suitability of the design of controls• Management identified the risks that threaten the

achievement of the control objective• Controls, if operating as described, provide reasonable

assurance that control objectives would be achieved

125


– Operating effectiveness• Consistent application throughout the period• Manual controls applied by individuals with appropriate

competence and authority

126

Reasonable Basis

WHAT HAS CHANGED:•In order to have a reasonable basis for its assertion, management should:

– Understand the criteria that should be used to make the assertion• Fairness – Does the description address all of the required

elements? • Design – Do we understand the risks and have we identified

the key controls that mitigate those risks?• Operating effectiveness – Do we know that those key

controls were operating with sufficient effectiveness to achieve the control objectives?

127

Reasonable Basis

WHAT HAS CHANGED:

Type 2 Report Page 1Type 2 Report Page 2Type 2 Report Page 3Type 2 Report Page 4Type 2 Report Page 5

128

WHAT HAS CHANGED:• Changes impacting the report

– Use of Internal Audit must be disclosed– The Service Auditor’s Report

• Expanded wording on management’s responsibilities• Opinion on fairness of presentation and design in a type 2

report will now cover the entire period • One opinion addressing all three elements • Intended users

• SOC 1, SOC 2, SOC 3

129

WHAT HAS CHANGED:

Seals 1Seals 2

130

Questions?

Jerry E. Durham, CPA, CGFM, CFEDivision of Local Government Audit

[email protected]

Documents

Slide Heading