Presentation on theme: "Understanding the Entity"— Presentation transcript:
1Understanding the Entity AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks Source: SAS No The Risk Assessment StandardsC Delano GrayJune 18, 2008
2Risk Assessment Standards The risk assessment standards consist of:SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Due Professional CareSAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing StandardsSAS No. 106, Audit EvidenceSAS No. 107, Audit Risk and Materiality in Conducting an Audit (Audit Risk and Materiality)SAS, No. 108, Planning and SupervisionSAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Assessing Risks)SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Performing Procedures)SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling
3Risk Assessment Standards The risk assessment standards consist of:SAS No. 112 Communicating Internal Control Related Matters Identified in an Audit (Superseded SAS 60)SAS No. 113 Omnibus StandardsSAS No. 114 The Auditor’s Communication with Those Charged with Governance (Supersedes SAS 61)Source: AICPA
4Risk Assessment Standards The ASB believes that the SASs represent a significant strengthening of auditing standards which in turn will improve the quality of audits conducted under these standards
5ObjectivesThe objectives of the SASs are to improve audit effectiveness by requiring:A more in-depth understanding of the entity and its environment, including its internal control.More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the financial statements.A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks.
6Knowledge This assumes the following Knowledge of the SAS’s Knowledge of FAS and InterpretationsKnowledge of Industry Specific StandardsKnowledge of SOP’s and EITF PronouncementsKnowledge of Entity’s Industry, Markets, Competitors and Industry Practices.
8Overview of SASs SAS No. 104, Amendment to SAS No. 1 SAS No. 104 expands the definition of “reasonable assurance” as a “high” level of assurance”
9Overview of SASsSAS No. 105, Amendment to SAS 95, Generally Accepted Auditing Standards“Internal control” is replaced by “the entity and its environment, including its internal control”“Further audit procedures” replaces “tests to be performed”“Audit evidence” replaces “evidential matter”
10Overview of SASs SAS No. 106, Audit Evidence (Amends SAS 31)“The auditor must obtain sufficient audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.”
11Overview of SASs SAS No. 106, Audit Evidence Audit evidence is all the information used by the auditor in arriving at the conclusions on which the audit opinion is based and includes:Entity’s accounting records,Confirmations,Minutes,Industry reports,Audit procedures such as inquiries, observations, inspections, etc.
12Overview of SASs SAS No. 106, Audit Evidence Audit Procedures Risk Assessment ProceduresInquiriesAnalytical proceduresInspection and observationFurther Audit ProceduresTest of controlsSubstantive proceduresTest of detailsSubstantive analytical procedures
13Overview of SASs SAS No. 106, Audit Evidence The use of assertions in obtaining audit evidence – these are management’s implicit or explicit assertions regarding the recognition, measurement, presentation and disclosure of information in the financial statements and related disclosures.
14Overview of SASs SAS No. 106, Audit Evidence (continued) Categories of AssertionsClasses of transactionsAccount balancesPresentation and disclosure
15Overview of SASs SAS No. 107, Audit Risk and Materiality (Amends SAS 47)“The auditors should perform the audit to reduce audit risk to a low level that is (in his or her judgment) appropriate for expressing an opinion on the financial statements.”
16Overview of SASs Audit Risk and Materiality - SAS 107. "The auditor's consideration of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the needs of users of financial statements”SAS 107.
17Overview of SASs SAS No. 108, Planning and Supervision (Amends SAS 1 and SAS 22)“The auditor must adequately plan the work and must properly supervise any assistants.”
18Overview of SASs SAS No. 109, Assessing Risks “The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.”
19Risk Assessment Standards Enhances the auditor’s application of the audit risk model in practice by requiring:More in-depth understanding of the entity and its environment, including its internal control to better understand where risks of misstatements are higherMay require greater understanding of internal control design and implementation of controlsAbility to default to maximum control risk assessment removedImproved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed
20Risk Assessment Standards Enhances the auditor’s application of the audit risk model:AR = [CR x IR] x DR[CR x IR] = RMMAR = Audit RiskCR = Control RiskIR = Inherent RiskDR =Detection RiskRMM = risk of material misstatementSource: AICPA.
21Risk Assessment Standards Internal Control Framework is unchanged
22Understanding the Entity and Its Environment and Assessing the Risks SAS 109Understanding the Entity and Its Environment and Assessing the Risks
23Introduction.01 This section establishes standards and provides guidance about implementing the second standard of field work, as follows:The auditor must obtain a sufficient understanding of the entity and its environment,Its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud,Design the nature, timing, and extent of further audit procedures.
24.02 The following is an overview of this standard: • Risk assessment procedures and sources of information about the entity and its environment, including its internal control.This section explains the audit procedures that the auditor should perform to obtain the understanding of the entity and its environment, including its internal control (risk assessment procedures).The audit team should discuss the susceptibility of the entity's financial statements to material misstatement.
25Risk Assessment Standards The auditor should assess the risks of material misstatement at the financial statement level and at the relevant assertion level on all audits based on the understanding obtained
26Risk Assessment Standards New Assertion FrameworkClasses of TransactionsAccount BalancesPresentation and DisclosuresOccurrenceExistenceOccurrence and Rights and obligationsCompletenessRights and obligationsAccuracyClassification and understandabilityCutoffValuation and allocationAccuracy and valuationClassification
27Risk Assessment Standards Identifying risks through consideringThe entity and its environment, including its internal controlClasses of transactions, account balances, and disclosuresRelating the identified risks to what could go wrong at the relevant assertion levelSignificant risks11SAS 109, Assessing Risks, paragraphs
28Risk Assessment Standards Audit RiskAuditor’s ResponseFinancial StatementOverall responsesAccount levelFurther Audit Procedures (Tests of Controls and Substantive Tests)
29Risk Assessment Standards Testing of controls is encouragedThe requirement to link assessed risks and the audit procedures responsive to those risks is improvedRisk assessment is a continuous process, not a series of discrete stages
30Risk Assessment Standards Perform further audit procedures that are clearly linked to risks at the relevant assertion level by:Performing tests of the operating effectiveness of controlsPerforming substantive proceduresEvaluating the adequacy of presentation and disclosure11SAS 110, Performing Procedures SAS, paragraphs 23-68Evaluate whether sufficient competent audit evidence has been obtained22SAS 110, Performing Procedures, paragraphs 70-76Source AICPA
31Risk Assessment Standards Greater emphasis is placed on testing of disclosuresGreater Emphasis is placed on the Evaluation of Internal ControlsGuidance on evaluating audit findings is clarified and expandedDocumentation requirements are significantly expanded
32Significant Changes to Existing Practices Identifying and assessing the risks of material misstatements at both the financial statement level and the relevant assertion level by performing risk assessment procedures.Designing and performing tailored further audit procedures responsive to assessed risks at the relevant assertion levelLinkage of audit procedures to the risk of material misstatement.
33AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55) Source: SAS No Effective for audits of financial statements for periods beginning on or after December 15, Earlier application is permitted.
34Risk Assessment Overview New ProcessInquiriesAnalyticalProceduresBrainstormingFraud Risk FactorsOtherRisk AssessmentRespond
35SAS No. 109, Assessing RisksRisk assessment procedures and sources of information about the entity and its internal control are:InquiriesAnalytical proceduresObservation and inspectionDiscussion among audit team
36SAS No. 109, Assessing RisksInquiries of management may be directed toward:External parties – for example, legal counsel, bankers, valuation experts, etc.Internal – for example those charged with governance, internal audit, employees other than accounting personnel, in-house counsel, etc.
37SAS No. 109, Assessing Risks Analytical Procedures Use guidance of SAS 56, Analytical ProceduresHelpful In identifying unusual transactions or eventsAssist in determining amounts, ratios, trends in the financial statements
38SAS No. 109, Assessing Risks Observation and inspection include: Inspection of documents and manuals (for example accounting or internal control)Reading internal reports and minutesVisit premises and plant facilitiesTracing transactions through systems
39SAS No. 109, Assessing RisksThe auditor should consider the results of the fraud risk assessment performed during planning along with other information gathered in identifying the risks of material misstatements.
40SAS No. 109, Assessing Risks Discussion among audit team: Can be held at the same time as the discussion specified in SAS 99.Objective is for members to gain a better understanding of the potential for material misstatements.An opportunity for more experienced members to share their insights.
41SAS No. 109, Assessing RisksUnderstanding the entity and its environment, including its internal control.Industry, regulatory, and other external factorsNature of the entityObjectives and strategies and the related business risks that may result in a material misstatement of the financial statementsMeasurement and review of the entity's financial performanceInternal control
43SAS No. 109, Assessing Risks (continued) The auditor should obtain a sufficient understanding of internal controls to:Evaluate the design of controls relevant to the audit,Determine whether the controls have been implemented.
44SAS No. 109, Assessing RisksThe auditor should perform risk assessment procedures to obtain an understanding of internal control. Procedures include observation, inspection, or performing walkthroughs.Inquiry alone is not sufficient to evaluate the design of controls and whether they have been implemented.
45SAS No. 109, Assessing RisksThe auditor should identify and assess the risks of material misstatements at:Financial statement levelThe relevant assertion level
46The three primary objectives of effective internal control. Internal ControlsThe three primary objectives of effective internal control.
47Internal Control Objectives 1. Reliability of financial reporting2. Efficiency and effectiveness of operations3. Compliance with laws and regulations
48Managements Responsibilities Contrast management’s responsibilities for maintaining and reporting on internal controls with the auditor’s responsibilities for understanding, testing, and reporting on internal controls.
49Management and Auditor Responsibilities Related to Internal Control Management’s responsibilityfor establishing internal controlReasonable assuranceInherent limitations
50Management and Auditor Responsibilities Related to Internal Control Design of internal controlOperating effectiveness of controls
51Management and Auditor Responsibilities Related to Internal Control Auditor responsibilities forunderstanding internal controlControls over the reliabilityof financial reportingControl over classes of transactionsAuditor responsibilities for testinginternal control
52The five components of the COSO internal control framework.
53Five Components of Internal Control Control EnvironmentRiskassessmentInformation andcommunicationControlactivitiesMonitoring
54The Control Environment Integrity and ethical valuesCommitment to competenceBoard of directors or auditcommittee participation
55The Control Environment Management’s philosophy and operating styleOrganizational structureHuman resource policies and practices
56Risk Assessment Identify factors that may increase risk Estimate the significance of the riskAssess the likelihood of the risk occurringDetermine actions necessary to manage the risk
57Control Activities 1. Adequate separation of duties 2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records5. Independent checks on performance
58Adequate Separation of Duties Custody of assetsfromAccountingAuthorizationof transactionsfromThe custody ofrelated assetsOperationalresponsibilityfromRecord-keepingresponsibilityIT dutiesfromUser departments
59Proper Authorization of Transactions and Activities General authorizationSpecific authorization
60Adequate Documents and Records Prenumbered consecutivelyPrepared at the time of transactionDesigned for multiple useConstructed to encourage correct preparation
61Physical Control Over Assets and Records The most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.
62Independent Checks on Performance The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.
63Information and Communication The purpose of an accounting informationand communication system is to…initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.
64Monitoring Monitoring activities deal with management’s ongoing and periodic assessment of thequality of internal control performance…to determine whether controls are operatingas intended and modified when needed.
65Obtain and document an understanding of internal control. Documenting ControlsObtain and document an understanding of internal control.
66Process for Understanding Internal Control and Assessing Control Risk Phase 1Obtain anunderstanding ofinternal control:design andoperationPhase 3Design, perform,and evaluate testsof controlsPhase 2Assess controlriskPhase 4Decide planneddetection riskand substantivetests
67Obtain and Document Understanding of Internal Control SAS 109 and PCAOB Standard 2 bothrequire auditors to obtain an understandingof internal control for every audit.Procedures to obtain an understanding:Design of internal controlsWhether placed in operationUses this information as a basis for theintegrated audit
69Narrative 1. The origin of every document and record in the system 2. All processing that takes place3. The disposition of every documentand record in the system4. An indication of the controls relevantto the assessment of control risk
70Evaluating Internal Control Operation Update and evaluate auditor’s previousexperience with the entityMake inquiries of client personnelExamine documents and recordsObserve entity activities and operationsPerform walk-throughs of the accounting system
71Control Risks and Audit Objectives Assess control risk by linking key controls, significant deficiencies, and material weaknesses to transaction-related audit objectives.
72Assess Control Risk Assess whether the financial statements are auditable.Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.Use of a control risk matrix to assesscontrol risk.
73Control Risk Matrix Many auditors use the control risk matrix to assist in the control risk assessmentprocess.
74Control Risk Matrix Identify audit objectives Identify existing controlsAssociate controls with related audit objectivesIdentify and evaluate control deficiencies,significant deficiencies, and material weaknesses
75Evaluating Significant Control Deficiencies SIGNIFICANCEMaterialMaterialWeaknessLIKELIHOODRemoteProbableImmaterial
76Identify Deficiencies and Weakness Identify existing controlsIdentify the absence of key controlsConsider the possibility of compensating controlsDecide whether there is a significant deficiencyor material weaknessDetermine potential misstatements that could result
77Communications Communications to those charged with governance Management letters
78Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed controlrisk are called tests of controls.
79Procedures for Tests of Controls 1. Make inquiries of client personnel2. Examine documents, records, and reports3. Observe control-related activities4. Reperform client procedures
80Extent of Procedures Reliance on evidence from prior year’s audit Testing of controls related to significant risksTesting less than the entire audit period
81Relationship of Assessed Control Risk and Extent of Procedures Type ofprocedureHigh level:Procedures to obtainan understandingLower level:Tests of controlsInquiryDocumentationObservationReperformanceYes–extensiveYes–with transactionwalk-throughNoYes–someYes–using samplingYes–at multiple times
82READY??How to get ready.Document each significant business process in writing. Assess business risks involved in each process.Identify “key” controls within those processes to mitigate risks. If controls aren’t adequate to mitigate risks, you would need to consider implementing stronger controls.Also, establish a monitoring process whereby these business processes are evaluated to ensure that “key” controls are operating effectively throughout the period.The control activities questionnaire may be a good starting point to help identify your significant business processes and the key controls for those processes
83Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.The auditor links the control risk assessmentsto the balance-related audit objectives.
84Check applicable risk category: Audit of Activity: __________________________________________Check applicable risk category:Business ObjectiveBusiness Risk1.Regulatory &Legal IssuesInformationSystemsOperationalPerformanceExt. and Int.EnvironmentAssets
85RiskImportance of RiskControl Activities toAddress RiskImpact on audit(Test)A.1.2.
86COMPANY NAME: PREPARED BY: __________________ AUDIT DEPARTMENTCOMPANY NAME: PREPARED BY: __________________REVIEWED BY:___________________DATE: _____/_______/______SECTION XX: Audit of ………………….AUDIT DATE: As of mm/dd/yyyy
87DRAFT Time Budget Performed by W/P REF Operational Procedure Description of ControlsAudit ObjectiveAudit ScopeAudit Procedure1.2.FindingsThe following exceptions were noted during the audit:(1) =(2) =All findings were discussed with the responsible manager.Tickmark Legend= No Exception Noted= Traced to® = Reviewed P & P Manual.Conclusion.DRAFT
88Section 404 Reporting on Internal Control 1. The auditor’s opinion on whether management’sassessment of the effectiveness of internal controlover financial reporting as of the end of the fiscalperiod is fairly stated, in all material respects.2. The auditor’s opinion on whether the companymaintained, in all material respects, effectiveinternal control over financial reporting as ofthe specified date.