Understanding the Entity AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks Source: SAS No. 109. The Risk Assessment Standards C Delano Gray June 18, 2008
Risk Assessment Standards The risk assessment standards consist of: SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Due Professional Care SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards SAS No. 106, Audit Evidence SAS No. 107, Audit Risk and Materiality in Conducting an Audit (Audit Risk and Materiality) SAS, No. 108, Planning and Supervision SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Assessing Risks) SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Performing Procedures) SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling
Risk Assessment Standards The risk assessment standards consist of: SAS No. 112 Communicating Internal Control Related Matters Identified in an Audit (Superseded SAS 60) SAS No. 113 Omnibus Standards SAS No. 114 The Auditor’s Communication with Those Charged with Governance (Supersedes SAS 61) http://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+Attest+Standards/Authoritative+Standards+and+Related+Guidance+for+Non-Issuers/auditing_standards.htm Source: AICPA
Risk Assessment Standards The ASB believes that the SASs represent a significant strengthening of auditing standards which in turn will improve the quality of audits conducted under these standards
Objectives The objectives of the SASs are to improve audit effectiveness by requiring: A more in-depth understanding of the entity and its environment, including its internal control. More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the financial statements. A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks.
Knowledge This assumes the following Knowledge of the SAS’s Knowledge of FAS and Interpretations Knowledge of Industry Specific Standards Knowledge of SOP’s and EITF Pronouncements Knowledge of Entity’s Industry, Markets, Competitors and Industry Practices.
Overview of SASs
Overview of SASs SAS No. 104, Amendment to SAS No. 1 SAS No. 104 expands the definition of “reasonable assurance” as a “high” level of assurance”
Overview of SASs SAS No. 105, Amendment to SAS 95, Generally Accepted Auditing Standards “Internal control” is replaced by “the entity and its environment, including its internal control” “Further audit procedures” replaces “tests to be performed” “Audit evidence” replaces “evidential matter”
Overview of SASs SAS No. 106, Audit Evidence (Amends SAS 31) “The auditor must obtain sufficient audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.”
Overview of SASs SAS No. 106, Audit Evidence Audit evidence is all the information used by the auditor in arriving at the conclusions on which the audit opinion is based and includes: Entity’s accounting records, Confirmations, Minutes, Industry reports, Audit procedures such as inquiries, observations, inspections, etc.
Overview of SASs SAS No. 106, Audit Evidence Audit Procedures Risk Assessment Procedures Inquiries Analytical procedures Inspection and observation Further Audit Procedures Test of controls Substantive procedures Test of details Substantive analytical procedures
Overview of SASs SAS No. 106, Audit Evidence The use of assertions in obtaining audit evidence – these are management’s implicit or explicit assertions regarding the recognition, measurement, presentation and disclosure of information in the financial statements and related disclosures.
Overview of SASs SAS No. 106, Audit Evidence (continued) Categories of Assertions Classes of transactions Account balances Presentation and disclosure
Overview of SASs SAS No. 107, Audit Risk and Materiality (Amends SAS 47) “The auditors should perform the audit to reduce audit risk to a low level that is (in his or her judgment) appropriate for expressing an opinion on the financial statements.”
Overview of SASs Audit Risk and Materiality - SAS 107. "The auditor's consideration of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the needs of users of financial statements” SAS 107.
Overview of SASs SAS No. 108, Planning and Supervision (Amends SAS 1 and SAS 22) “The auditor must adequately plan the work and must properly supervise any assistants.”
Overview of SASs SAS No. 109, Assessing Risks “The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.”
Risk Assessment Standards Enhances the auditor’s application of the audit risk model in practice by requiring: More in-depth understanding of the entity and its environment, including its internal control to better understand where risks of misstatements are higher May require greater understanding of internal control design and implementation of controls Ability to default to maximum control risk assessment removed Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed
Risk Assessment Standards Enhances the auditor’s application of the audit risk model: AR = [CR x IR] x DR [CR x IR] = RMM AR = Audit Risk CR = Control Risk IR = Inherent Risk DR =Detection Risk RMM = risk of material misstatement Source: AICPA.
Risk Assessment Standards Internal Control Framework is unchanged
Understanding the Entity and Its Environment and Assessing the Risks SAS 109 Understanding the Entity and Its Environment and Assessing the Risks
Introduction .01 This section establishes standards and provides guidance about implementing the second standard of field work, as follows: The auditor must obtain a sufficient understanding of the entity and its environment, Its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, Design the nature, timing, and extent of further audit procedures.
.02 The following is an overview of this standard: • Risk assessment procedures and sources of information about the entity and its environment, including its internal control. This section explains the audit procedures that the auditor should perform to obtain the understanding of the entity and its environment, including its internal control (risk assessment procedures). The audit team should discuss the susceptibility of the entity's financial statements to material misstatement.
Risk Assessment Standards The auditor should assess the risks of material misstatement at the financial statement level and at the relevant assertion level on all audits based on the understanding obtained
Risk Assessment Standards New Assertion Framework Classes of Transactions Account Balances Presentation and Disclosures Occurrence Existence Occurrence and Rights and obligations Completeness Rights and obligations Accuracy Classification and understandability Cutoff Valuation and allocation Accuracy and valuation Classification
Risk Assessment Standards Identifying risks through considering The entity and its environment, including its internal control Classes of transactions, account balances, and disclosures Relating the identified risks to what could go wrong at the relevant assertion level Significant risks1 1SAS 109, Assessing Risks, paragraphs 102-121
Risk Assessment Standards Audit Risk Auditor’s Response Financial Statement Overall responses Account level Further Audit Procedures (Tests of Controls and Substantive Tests)
Risk Assessment Standards Testing of controls is encouraged The requirement to link assessed risks and the audit procedures responsive to those risks is improved Risk assessment is a continuous process, not a series of discrete stages
Risk Assessment Standards Perform further audit procedures that are clearly linked to risks at the relevant assertion level by: Performing tests of the operating effectiveness of controls Performing substantive procedures Evaluating the adequacy of presentation and disclosure1 1SAS 110, Performing Procedures SAS, paragraphs 23-68 Evaluate whether sufficient competent audit evidence has been obtained2 2SAS 110, Performing Procedures, paragraphs 70-76 Source AICPA
Risk Assessment Standards Greater emphasis is placed on testing of disclosures Greater Emphasis is placed on the Evaluation of Internal Controls Guidance on evaluating audit findings is clarified and expanded Documentation requirements are significantly expanded
Significant Changes to Existing Practices Identifying and assessing the risks of material misstatements at both the financial statement level and the relevant assertion level by performing risk assessment procedures. Designing and performing tailored further audit procedures responsive to assessed risks at the relevant assertion level Linkage of audit procedures to the risk of material misstatement.
AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55) Source: SAS No. 109. Effective for audits of financial statements for periods beginning on or after December 15, 2006. Earlier application is permitted.
Risk Assessment Overview New Process Inquiries Analytical Procedures Brainstorming Fraud Risk Factors Other Risk Assessment Respond
SAS No. 109, Assessing Risks Risk assessment procedures and sources of information about the entity and its internal control are: Inquiries Analytical procedures Observation and inspection Discussion among audit team
SAS No. 109, Assessing Risks Inquiries of management may be directed toward: External parties – for example, legal counsel, bankers, valuation experts, etc. Internal – for example those charged with governance, internal audit, employees other than accounting personnel, in-house counsel, etc.
SAS No. 109, Assessing Risks Analytical Procedures Use guidance of SAS 56, Analytical Procedures Helpful In identifying unusual transactions or events Assist in determining amounts, ratios, trends in the financial statements
SAS No. 109, Assessing Risks Observation and inspection include: Inspection of documents and manuals (for example accounting or internal control) Reading internal reports and minutes Visit premises and plant facilities Tracing transactions through systems
SAS No. 109, Assessing Risks The auditor should consider the results of the fraud risk assessment performed during planning along with other information gathered in identifying the risks of material misstatements.
SAS No. 109, Assessing Risks Discussion among audit team: Can be held at the same time as the discussion specified in SAS 99. Objective is for members to gain a better understanding of the potential for material misstatements. An opportunity for more experienced members to share their insights.
SAS No. 109, Assessing Risks Understanding the entity and its environment, including its internal control. Industry, regulatory, and other external factors Nature of the entity Objectives and strategies and the related business risks that may result in a material misstatement of the financial statements Measurement and review of the entity's financial performance Internal control
SAS No. 109, Assessing Risks Internal control
SAS No. 109, Assessing Risks (continued) The auditor should obtain a sufficient understanding of internal controls to: Evaluate the design of controls relevant to the audit, Determine whether the controls have been implemented.
SAS No. 109, Assessing Risks The auditor should perform risk assessment procedures to obtain an understanding of internal control. Procedures include observation, inspection, or performing walkthroughs. Inquiry alone is not sufficient to evaluate the design of controls and whether they have been implemented.
SAS No. 109, Assessing Risks The auditor should identify and assess the risks of material misstatements at: Financial statement level The relevant assertion level
The three primary objectives of effective internal control. Internal Controls The three primary objectives of effective internal control.
Internal Control Objectives 1. Reliability of financial reporting 2. Efficiency and effectiveness of operations 3. Compliance with laws and regulations
Managements Responsibilities Contrast management’s responsibilities for maintaining and reporting on internal controls with the auditor’s responsibilities for understanding, testing, and reporting on internal controls.
Management and Auditor Responsibilities Related to Internal Control Management’s responsibility for establishing internal control Reasonable assurance Inherent limitations
Management and Auditor Responsibilities Related to Internal Control Design of internal control Operating effectiveness of controls
Management and Auditor Responsibilities Related to Internal Control Auditor responsibilities for understanding internal control Controls over the reliability of financial reporting Control over classes of transactions Auditor responsibilities for testing internal control
The five components of the COSO internal control framework.
Five Components of Internal Control Control Environment Risk assessment Information and communication Control activities Monitoring
The Control Environment Integrity and ethical values Commitment to competence Board of directors or audit committee participation
The Control Environment Management’s philosophy and operating style Organizational structure Human resource policies and practices
Risk Assessment Identify factors that may increase risk Estimate the significance of the risk Assess the likelihood of the risk occurring Determine actions necessary to manage the risk
Control Activities 1. Adequate separation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance
Adequate Separation of Duties Custody of assets from Accounting Authorization of transactions from The custody of related assets Operational responsibility from Record-keeping responsibility IT duties from User departments
Proper Authorization of Transactions and Activities General authorization Specific authorization
Adequate Documents and Records Prenumbered consecutively Prepared at the time of transaction Designed for multiple use Constructed to encourage correct preparation
Physical Control Over Assets and Records The most important type of protective measure for safeguarding assets and records is the use of physical precautions.
Independent Checks on Performance The need for independent checks arises because internal control tends to change over time unless there is a mechanism for frequent review.
Information and Communication The purpose of an accounting information and communication system is to… initiate, record, process, and report the entity’s transactions and to maintain accountability for the related assets.
Monitoring Monitoring activities deal with management’s ongoing and periodic assessment of the quality of internal control performance… to determine whether controls are operating as intended and modified when needed.
Obtain and document an understanding of internal control. Documenting Controls Obtain and document an understanding of internal control.
Process for Understanding Internal Control and Assessing Control Risk Phase 1 Obtain an understanding of internal control: design and operation Phase 3 Design, perform, and evaluate tests of controls Phase 2 Assess control risk Phase 4 Decide planned detection risk and substantive tests
Obtain and Document Understanding of Internal Control SAS 109 and PCAOB Standard 2 both require auditors to obtain an understanding of internal control for every audit. Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for the integrated audit
Methods Used Narrative Flowchart Internal control questionnaire
Narrative 1. The origin of every document and record in the system 2. All processing that takes place 3. The disposition of every document and record in the system 4. An indication of the controls relevant to the assessment of control risk
Evaluating Internal Control Operation Update and evaluate auditor’s previous experience with the entity Make inquiries of client personnel Examine documents and records Observe entity activities and operations Perform walk-throughs of the accounting system
Control Risks and Audit Objectives Assess control risk by linking key controls, significant deficiencies, and material weaknesses to transaction-related audit objectives.
Assess Control Risk Assess whether the financial statements are auditable. Determine assessed control risk supported by the understanding obtained assuming the controls are being followed. Use of a control risk matrix to assess control risk.
Control Risk Matrix Many auditors use the control risk matrix to assist in the control risk assessment process.
Control Risk Matrix Identify audit objectives Identify existing controls Associate controls with related audit objectives Identify and evaluate control deficiencies, significant deficiencies, and material weaknesses
Evaluating Significant Control Deficiencies SIGNIFICANCE Material Material Weakness LIKELIHOOD Remote Probable Immaterial
Identify Deficiencies and Weakness Identify existing controls Identify the absence of key controls Consider the possibility of compensating controls Decide whether there is a significant deficiency or material weakness Determine potential misstatements that could result
Communications Communications to those charged with governance Management letters
Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls.
Procedures for Tests of Controls 1. Make inquiries of client personnel 2. Examine documents, records, and reports 3. Observe control-related activities 4. Reperform client procedures
Extent of Procedures Reliance on evidence from prior year’s audit Testing of controls related to significant risks Testing less than the entire audit period
Relationship of Assessed Control Risk and Extent of Procedures Type of procedure High level: Procedures to obtain an understanding Lower level: Tests of controls Inquiry Documentation Observation Reperformance Yes–extensive Yes–with transaction walk-through No Yes–some Yes–using sampling Yes–at multiple times
READY?? How to get ready. Document each significant business process in writing. Assess business risks involved in each process. Identify “key” controls within those processes to mitigate risks. If controls aren’t adequate to mitigate risks, you would need to consider implementing stronger controls. Also, establish a monitoring process whereby these business processes are evaluated to ensure that “key” controls are operating effectively throughout the period. The control activities questionnaire may be a good starting point to help identify your significant business processes and the key controls for those processes
Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests. The auditor links the control risk assessments to the balance-related audit objectives.
Check applicable risk category: Audit of Activity: __________________________________________ Check applicable risk category: Business Objective Business Risk 1. Regulatory & Legal Issues Information Systems Operational Performance Ext. and Int. Environment Assets
Risk Importance of Risk Control Activities to Address Risk Impact on audit (Test) A. 1. 2.
COMPANY NAME: PREPARED BY: __________________ AUDIT DEPARTMENT COMPANY NAME: PREPARED BY: __________________ REVIEWED BY:___________________ DATE: _____/_______/______ SECTION XX: Audit of …………………. AUDIT DATE: As of mm/dd/yyyy
DRAFT Time Budget Performed by W/P REF Operational Procedure Description of Controls Audit Objective Audit Scope Audit Procedure 1. 2. Findings The following exceptions were noted during the audit: (1) = (2) = All findings were discussed with the responsible manager. Tickmark Legend = No Exception Noted = Traced to ® = Reviewed P & P Manual. Conclusion . DRAFT
Section 404 Reporting on Internal Control 1. The auditor’s opinion on whether management’s assessment of the effectiveness of internal control over financial reporting as of the end of the fiscal period is fairly stated, in all material respects. 2. The auditor’s opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date.
Questions? Thank You