Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit Standards Update with Focus on Risk Suite and Impact on IT Audit Anne Skorija and Mike Billo Commonwealth of Pennsylvania Department of the Auditor.

Similar presentations


Presentation on theme: "Audit Standards Update with Focus on Risk Suite and Impact on IT Audit Anne Skorija and Mike Billo Commonwealth of Pennsylvania Department of the Auditor."— Presentation transcript:

1 Audit Standards Update with Focus on Risk Suite and Impact on IT Audit Anne Skorija and Mike Billo Commonwealth of Pennsylvania Department of the Auditor General

2 Objectives Risk Assessment Standards (SAS 104-111) – What lessons have we learned during implementation and External Quality Control Reviews Other AICPA Standards including: – Communicating Internal Control Related Matters Identified in an Audit (SAS 112 vs. 115) – Communication with Those Charged with Governance (SAS 114) October 1, 2009 Pennsylvania Department of the Auditor General 2

3 Objectives GAO Standards: – Government Auditing Standards – 2007 revisions impacting IT Audit (Financial and Performance Audits) – Federal Information System Controls Audit Manual (FISCAM) – updated February 2009 – Assessing the Reliability of Computer Processed Data – updated July 2009 October 1, 2009 Pennsylvania Department of the Auditor General 3

4 SAS 104 - 111 Risk Assessment Standards October 1, 2009 Pennsylvania Department of the Auditor General 4

5 Risk Assessment Audit Standards All issued March 2006 Effective for audits of Financial Statements for periods beginning after December 15, 2006 (some audits already through External QCR) These standards stress improving the quality and depth of understanding and effectiveness of financial statements being audited October 1, 2009 Pennsylvania Department of the Auditor General 5

6 What Risk Assessment Means When planning and conducting an audit, the main focus should be on those areas of higher risk for material misstatement Step 1 – think about where material misstatements can occur Step 2 – design audit procedures responsive to those risks Step 3 – evaluate audit findings and assess impact on audit opinion October 1, 2009 Pennsylvania Department of the Auditor General 6

7 SAS 104 Amendment to SAS 1, Codification of Auditing Standards and Procedures (Due Professional Care in the Performance of Work) Reasonable assurance is a key concept that underlies all aspects of auditing Clarifies that the term reasonable means a high level of assurance Auditors need reasonable assurance that the Financial Statements are not materially misstated October 1, 2009 Pennsylvania Department of the Auditor General 7

8 SAS 105 Amendment to SAS 95, Generally Accepted Auditing Standards Cleans up language throughout SASs must be performed by persons having adequate technical training and proficiency as an auditor must obtain sufficient understanding of the entity, environment, including Internal control… must obtain sufficient appropriate audit evidence October 1, 2009 Pennsylvania Department of the Auditor General 8

9 SAS 106 Audit Evidence Sufficient appropriate audit evidence is basis for audit opinions – Evidence must be gathered for each of the relevant F/S assertions Defines the term appropriate – measure of quality Auditors should evaluate the nature and complexity of the use of IT October 1, 2009 Pennsylvania Department of the Auditor General 9

10 SAS 107 Audit Risk and Materiality in Conducting an Audit Risk of Material Misstatement (RMM) Inherent Risk Control Risk Determining Materiality What would users consider material? October 1, 2009 Pennsylvania Department of the Auditor General 10

11 SAS 108 Planning and Supervision Auditor may assign a professional possessing IT skills to inquire – How data and transactions are initiated, authorized, recorded, processed and reported – How IT controls are designed; inspecting systems documentation, observing operation of IT controls; and planning and performing tests of IT controls Consider changes in IT systems when planning October 1, 2009 Pennsylvania Department of the Auditor General 11

12 SAS 109 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS 109 and 110 together supersede SAS 55, 78 and 94 Includes consideration of the entitys use of information technology More on this later… October 1, 2009 Pennsylvania Department of the Auditor General 12

13 SAS 110 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained Design further audit procedures in response to risks of material misstatement at the relevant assertion level. Make a clear connection between risks/controls over IT and the extent of testing October 1, 2009 Pennsylvania Department of the Auditor General 13

14 SAS 111 Amendment to Statement on Auditing Standards No. 39, Audit Sampling Cleans up Audit Sampling (AU Section 350 – SAS 39) to include the Risk Assessment Standards October 1, 2009 Pennsylvania Department of the Auditor General 14

15 SAS 109 Greatest Impact on IT Audits October 1, 2009 Pennsylvania Department of the Auditor General 15

16 Key Steps in a Financial Statement Audit Assess Risk – by performing Risk Assessment Procedures (SAS 109) – Every financial statement audit you are required to assess the risks that individual financial statement assertions are materially misstated. – Including risks associated by IT Respond to Risk – by designing audit tests that address those risks (SAS 110) October 1, 2009 Pennsylvania Department of the Auditor General 16

17 Emphasis is on Transactions Information technology encompasses automated means of originating, processing, storing and communicating information An entitys use of IT may be extensive, however, the auditor is primarily interested in the entity's use of IT to initiate, authorize, record, process, and report transactions or other financial data October 1, 2009 Pennsylvania Department of the Auditor General 17

18 Audit Risk Risk that the financial statements are materially misstated – and the auditor fails to detect such a misstatement or appropriately modify the audit opinion Reduce audit risk by: – Assessing the risk of material misstatement – Based on that assessment, design and perform overall responses and further audit procedures that reduce audit risk to a low level. October 1, 2009 Pennsylvania Department of the Auditor General 18

19 Significant Classes of Transactions Transactions that are important to our assessment of the risk of material misstatement – Therefore, we need to design audit procedures to test these transactions by assertion (Occurrence; Completeness; Accuracy; Cutoff; Classification ) For example: Personal Income Tax transactions may be a significant class of transactions to a State October 1, 2009 Pennsylvania Department of the Auditor General 19

20 Material Account Balances Account balance on the balance sheet is important to our assessment of the risk of material misstatement – Therefore we need to design audit procedures to test the F/S assertions relevant to this account balance (Existence; Rights and Obligations; Completeness; Valuation and Allocation) Example: Long-term Debt may be a material balance to a states balance sheet October 1, 2009 Pennsylvania Department of the Auditor General 20

21 Internal Control Components Control Environment – sets the tone Entitys risk assessment – identification and analysis of relevant risks Information and Communication systems – support the identification, capture and exchange of information Control activities – policies and procedures that help ensure that management directives are carried out Monitoring – Asses quality of internal controls over time October 1, 2009 Pennsylvania Department of the Auditor General 21

22 Obtain an Understanding The auditor should understand the five components of internal control in order to assess the risk of material misstatement which will assist in the following: – Identifying potential misstatements – Considering issues that affect the risks of material misstatement – Assisting in the design tests of controls and substantive procedures October 1, 2009 Pennsylvania Department of the Auditor General 22

23 Whats New in SAS 109 Need to establish a clear link between: – Audit risk – Significant classes of transactions/material balances – Financial Statement Assertions AND – IT Applications and Systems October 1, 2009 Pennsylvania Department of the Auditor General 23

24 Computer Controls General Controls – Access (logical and physical) – Change management – Operations Application Controls October 1, 2009 Pennsylvania Department of the Auditor General 24

25 Goal of Computer Control Reviews Gain an adequate understanding of the computer controls; document that understanding so that a clear link exists between the controls that have been implemented to the significant financial statement assertions, i.e., significant account balances and significant classes of transactions October 1, 2009 Pennsylvania Department of the Auditor General 25

26 SAS 109 Steps to Implementation October 1, 2009 Pennsylvania Department of the Auditor General 26

27 Implementing the Risk Assessment Standards Training: – IT Auditors trained to think like financial auditors: Risk, material balances, significant classes of transactions – Financial Auditors learning to better identify the applications/systems that are the sources of the Financial Statements Communications: – IT Auditors and Financial Auditors meeting to compare applications vs. transactions/balances Lesson learned: Do Not Assume October 1, 2009 Pennsylvania Department of the Auditor General 27

28 Assess the Situation New staff with IT backgrounds First year back involved with statewide financial audit Simultaneous implementation with financial auditors October 1, 2009 Pennsylvania Department of the Auditor General 28

29 Training of our staff Review of the CAFR and Basic Financial Statements Interplay of opinion units and materiality Significant Classes of Transactions Material Balances Audit Risk – Risk of Material Misstatement October 1, 2009 Pennsylvania Department of the Auditor General 29

30 Training of our staff Risk Assessment Standards – Risk and materiality in a financial statement audit – How a financial statement audit differs from a performance audit Focus on SAS 109 – Five components of internal control October 1, 2009 Pennsylvania Department of the Auditor General 30

31 Agency Entrance Conferences Training auditees – providing background information on risk assessment standards and new reporting requirements (SAS 112) Focus on services provided by IT to the agency: What do you do? What transactions do your applications create? Take away: list of applications and transactions – Start to make the connection between systems/applications and dollars October 1, 2009 Pennsylvania Department of the Auditor General 31

32 Meeting with Financial Audit Team Discuss the list of applications and transactions with the Financial Audit Teams (each agency) Determine which applications process – Significant classes of transactions, or – Material financial statement balances Are we missing any applications? – E.g., a certain educational subsidy was not processed by the Department of Education but rather processed by another agency on a Unix box across town October 1, 2009 Pennsylvania Department of the Auditor General 32

33 Summary Memo List of applications and systems included in our controls review Strategy for grouping systems to efficiently review controls – Common control can be reviewed together – i.e., common use of Active Directory for user authentication or Endeavor to manage change Level of procedures to be performed – Walkthrough of one vs. test of a sample Are we missing any applications? – Confirm again with financial auditors October 1, 2009 Pennsylvania Department of the Auditor General 33

34 IT Audit Procedures Documenting operational effectiveness of controls placed in operation Walkthroughs in four key areas: – Manage change – Logical access – Physical access – Computer operations October 1, 2009 Pennsylvania Department of the Auditor General 34

35 SAS 109 – New Areas of Interest Manual controls that depend on IT (paragraph 84) Error correction procedures (paragraph 85) Controls over the financial reporting process (paragraph 86) – Enter transaction totals into the general ledger (or equivalent record). – Journal entries and recurring journal entries – Combine into financial statements October 1, 2009 Pennsylvania Department of the Auditor General 35

36 Other New SASs SAS 112 – Communicating Internal Control Related Matters Identified in an Audit (updated by SAS 115) SAS 113 – Omnibus Statement on Auditing Standards – 2006 SAS 114 – The Auditors Communication With Those Charged With Governance October 1, 2009 Pennsylvania Department of the Auditor General 36

37 Communicating Internal Control Matters Identified in an Audit Audit Requirements: – Financial Audits: SAS 112; GAO 5.10-5.14 – Performance Audits: GAO 8.18 – 8.20 SAS 115 – effective for audits of financial statements for periods ending on or after December 31, 2009 – OMB Circular A133 still requires SAS 112 language for FYE 6/30/09 audits – Yellow Book – still uses SAS 112 language October 1, 2009 Pennsylvania Department of the Auditor General 37

38 SAS 112 vs. 115 New definition of Significant Deficiency – SAS 112 adversely affect the entitys ability to initiate, authorize, record, process or report financial data; and More than a remote likelihood of misstatement – SAS 115 Deficiency or combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. October 1, 2009 Pennsylvania Department of the Auditor General 38

39 SAS 112 vs. 115 Change to definition of Material Weakness – SAS 112 More than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected – SAS 115 Reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected on a timely basis October 1, 2009 Pennsylvania Department of the Auditor General 39

40 Those Charged With Governance (TCWG) Audit Requirements: – Financial Audits: SAS 114; Communication requirements in SAS 54, 74, 99, 112 ; GAO 4.06-4.08, 5.44 – Performance Audits: GAO 7.46 -7.49, 8.05, 8.07, 8.43, Auditors should document – the process used to identify TCWG & the conclusions reached for the appropriate individuals to receive the required communications and – evidence that communication with TCWG occurred. October 1, 2009 Pennsylvania Department of the Auditor General 40

41 Recent GAO Guidance October 1, 2009 Pennsylvania Department of the Auditor General 41

42 Government Auditing Standards Impact on IT Audits – in 2007 revision: Chapter 4 – Fieldwork Standards for Financial Audits – Covered by AICPA Auditing Standards Chapter 7 – Standards for Performance Audits – Some new language October 1, 2009 Pennsylvania Department of the Auditor General 42

43 2007 Yellow Book IT impacts performance audits in three ways (paragraph 7.27): 1.Information systems controls as part of internal controls 2.Information systems as the source of reports and data files (used as evidence and/or used to support report) 3.Evaluation of information systems controls as a major part of an audit objective October 1, 2009 Pennsylvania Department of the Auditor General 43

44 Categories of General Controls in 2007 Yellow Book 2007 Yellow Book lists general controls under the following categories: – Security management – Logical and physical access – Configuration management – Segregation of duties – Contingency planning Categories correspond to FISCAM 2009 October 1, 2009 Pennsylvania Department of the Auditor General 44

45 FISCAM Federal Information System Controls Audit Manual (FISCAM) Revised February 2009 Expanded Purpose: provide guidance for GAGAS Audits Conforms with 2007 Yellow Book and AICPA auditing standards October 1, 2009 Pennsylvania Department of the Auditor General 45

46 Business Process Application Controls Categories in both 2007 Yellow Book and 2009 FISCAM: – Completeness – Accuracy – Validity – Confidentiality – Availability October 1, 2009 Pennsylvania Department of the Auditor General 46

47 Assessing the Reliability of Computer Processed Data – July 2007 Designed to be consistent with 2007 Yellow Book Replaces the 2002 Assessing the Reliability of Computer-Processed Data Key Points: – Conducting only the amount of work necessary to determine whether the data are reliable enough – Maximizing professional judgment October 1, 2009 Pennsylvania Department of the Auditor General 47

48 Assessing the Reliability of Computer Processed Data – July 2007 October 1, 2009 Pennsylvania Department of the Auditor General 48

49 Questions/Comments Thank you! October 1, 2009 Pennsylvania Department of the Auditor General 49


Download ppt "Audit Standards Update with Focus on Risk Suite and Impact on IT Audit Anne Skorija and Mike Billo Commonwealth of Pennsylvania Department of the Auditor."

Similar presentations


Ads by Google