no fraud left behind the effect of new risk assessment
DESCRIPTION
TRANSCRIPT
NO FRAUD LEFT NO FRAUD LEFT BEHINDBEHIND
The Effect of New Risk Assessment The Effect of New Risk Assessment Auditing Standards on SchoolsAuditing Standards on Schools
Runyon Kersteen OuelletteRunyon Kersteen Ouellette
Risk Assessment StandardsRisk Assessment Standards
Statements on Auditing StandardsStatements on Auditing Standards SAS 104 – 111 (risk assessment)SAS 104 – 111 (risk assessment) Other recently issued standardsOther recently issued standards SAS 112 – 115SAS 112 – 115 How will these new audit standards How will these new audit standards
affect school audits?affect school audits?
SAS 104SAS 104
Due professional care in the Due professional care in the performance of workperformance of work
Clarified the definition of reasonable Clarified the definition of reasonable assuranceassurance
Emphasized that reasonable Emphasized that reasonable assurance is a high level of assurance is a high level of assurance, but not absolute assurance, but not absolute assuranceassurance
SAS 105SAS 105
Amendment to SAS 95, Amendment to SAS 95, Generally Generally Accepted Auditing StandardsAccepted Auditing Standards
Expands the scope of the Expands the scope of the understanding that the auditor is understanding that the auditor is required to obtain from “internal required to obtain from “internal control” to “the entity and its control” to “the entity and its environment, including its internal environment, including its internal control”control”
SAS 105SAS 105
Emphasizes that the understanding is Emphasizes that the understanding is obtained to “assess the risk of material obtained to “assess the risk of material misstatement of the financial misstatement of the financial statements”statements”
The understanding of the entity and its The understanding of the entity and its internal control is part of the audit internal control is part of the audit evidence that supports the opinionevidence that supports the opinion
Used to be only part of the audit Used to be only part of the audit planningplanning
SAS 106SAS 106
Audit evidenceAudit evidence Identifies “risk assessment Identifies “risk assessment
procedures” as procedures procedures” as procedures performed to obtain an performed to obtain an understanding of the entity in order understanding of the entity in order to assess the risk of material to assess the risk of material misstatementmisstatement
SAS 106SAS 106
Evidence obtained from performing risk Evidence obtained from performing risk assessment procedures, including assessment procedures, including gaining an understanding of the entity gaining an understanding of the entity and its environment, including its and its environment, including its internal controls as well as tests of internal controls as well as tests of controls and substantive procedures is controls and substantive procedures is part of the evidence obtained to part of the evidence obtained to support the audit opinion (not just to support the audit opinion (not just to plan the audit)plan the audit)
SAS 106SAS 106
Risk assessment procedures include:Risk assessment procedures include: Inquiries of management and othersInquiries of management and others Analytical proceduresAnalytical procedures Observation and inspectionObservation and inspection
Inquiry alone is no longer sufficient Inquiry alone is no longer sufficient to evaluate controls and whether to evaluate controls and whether they have been implemented they have been implemented
SAS 107SAS 107
Audit risk and materiality in Audit risk and materiality in conducting an auditconducting an audit
Auditors can no longer default to Auditors can no longer default to maximum risk (instead of testing maximum risk (instead of testing controls)controls)
Materiality should take qualitative Materiality should take qualitative considerations into account as well considerations into account as well as quantitative as quantitative
SAS 108SAS 108
Planning and supervisionPlanning and supervision New guidance on development of New guidance on development of
overall audit strategy and audit planoverall audit strategy and audit plan Establish an understanding with the Establish an understanding with the
clientclient What is management’s responsibility What is management’s responsibility
compared to the auditor’s responsibilitycompared to the auditor’s responsibility
SAS 109SAS 109
Understanding the entity and its Understanding the entity and its environment and assessing the risks of environment and assessing the risks of material misstatementsmaterial misstatements
Understanding the entity:Understanding the entity: Industry, regulatory, and other external factorsIndustry, regulatory, and other external factors Nature of the entityNature of the entity Objectives and strategies and the related risksObjectives and strategies and the related risks Measurement and review of financial performanceMeasurement and review of financial performance Internal control, which includes accounting Internal control, which includes accounting
policiespolicies
SAS 109SAS 109
Understanding of internal controlUnderstanding of internal control Evaluating design of a controlEvaluating design of a control Determining whether it has been implementedDetermining whether it has been implemented
Evaluating the design of control involves Evaluating the design of control involves considering whether the control, considering whether the control, individually or in combination with other individually or in combination with other controls, is capable of effectively controls, is capable of effectively preventing or detecting and correcting preventing or detecting and correcting material misstatementsmaterial misstatements
SAS 109SAS 109
Components of internal control:Components of internal control: Control environment – tone of organizationControl environment – tone of organization Risk assessment – identification and analysis of Risk assessment – identification and analysis of
relevant risksrelevant risks Information and communication systems – Information and communication systems –
identification, capture and communication of identification, capture and communication of informationinformation
Control activities – policies and proceduresControl activities – policies and procedures Monitoring – assessment of the quality of Monitoring – assessment of the quality of
internal control performanceinternal control performance
Control EnvironmentControl Environment
Primary responsibility for the Primary responsibility for the prevention and detection of fraud prevention and detection of fraud and errors rests with those charged and errors rests with those charged with governance and managementwith governance and management
The absence or inadequacy of such The absence or inadequacy of such programs and controls may programs and controls may constitute a significant deficiency or constitute a significant deficiency or material weaknessmaterial weakness
Control EnvironmentControl Environment
Communication and enforcement of integrity Communication and enforcement of integrity and ethical valuesand ethical values
Commitment to competenceCommitment to competence Participation of those charged with governanceParticipation of those charged with governance Management’s philosophy and operating styleManagement’s philosophy and operating style Organizational structureOrganizational structure Assignment of authority and responsibilityAssignment of authority and responsibility Human resource policies and practicesHuman resource policies and practices
Risk AssessmentRisk Assessment
Risk assessment process for financial Risk assessment process for financial reporting purposes is its reporting purposes is its identification, analysis, and identification, analysis, and management of risks relevant to the management of risks relevant to the preparation of financial statements preparation of financial statements that are presented fairly in that are presented fairly in conformity with GAAPconformity with GAAP
Risk AssessmentRisk Assessment
Risks relevant to financial reporting:Risks relevant to financial reporting: Changes in operating environmentChanges in operating environment New personnelNew personnel New or revamped information systemsNew or revamped information systems Rapid growthRapid growth New accounting pronouncementsNew accounting pronouncements
Information and Information and Communication SystemsCommunication Systems
Information systems consist of Information systems consist of procedures, whether automated or procedures, whether automated or manual, and records established to manual, and records established to initiate, authorize, record, process, initiate, authorize, record, process, and report entity transactions and to and report entity transactions and to maintain accountability for the maintain accountability for the related assets, liabilities and equityrelated assets, liabilities and equity
Information and Information and Communication SystemsCommunication Systems
Communication involves providing an Communication involves providing an understanding of individual roles and understanding of individual roles and responsibilities pertaining to internal responsibilities pertaining to internal control over financial reportingcontrol over financial reporting
Control ActivitiesControl Activities
AuthorizationAuthorization Segregation of dutiesSegregation of duties SafeguardingSafeguarding Asset accountabilityAsset accountability
MonitoringMonitoring
Management is responsible for Management is responsible for establishing and maintaining internal establishing and maintaining internal controls on an ongoing basiscontrols on an ongoing basis
Monitoring controls includes determining Monitoring controls includes determining whether internal controls are operating as whether internal controls are operating as intended and modifying as appropriate for intended and modifying as appropriate for changes in conditionschanges in conditions
Monitoring is done to ensure that controls Monitoring is done to ensure that controls continue to operate effectivelycontinue to operate effectively
SAS 110SAS 110
Performing audit procedures in Performing audit procedures in response to assessed risks and response to assessed risks and evaluating the audit evidence obtainedevaluating the audit evidence obtained
Requires tests of controls to obtain Requires tests of controls to obtain audit evidence about their operating audit evidence about their operating effectiveness when assessment of risks effectiveness when assessment of risks is based on the expectation that is based on the expectation that controls are operating effectivelycontrols are operating effectively
SAS 112SAS 112
Communicating internal control related Communicating internal control related matters identified in an auditmatters identified in an audit
Defines the terms Defines the terms significant deficiencysignificant deficiency and and material weakness (revised by SAS material weakness (revised by SAS 115)115)
Provides guidance on the severity of Provides guidance on the severity of control deficienciescontrol deficiencies
Requires communication in writing to Requires communication in writing to management and those changed with management and those changed with governancegovernance
Control DeficiencyControl Deficiency
Exists when the Exists when the designdesign or or operationoperation of a control does not allow of a control does not allow management or employees, in the management or employees, in the normal course of performing their normal course of performing their assigned functions, to prevent or assigned functions, to prevent or detect misstatements on a timely detect misstatements on a timely basisbasis
Control DeficiencyControl Deficiency
Deficiency in Deficiency in designdesign exists when: exists when: a control necessary to meet the control a control necessary to meet the control
objective is missing orobjective is missing or an existing control is not properly an existing control is not properly
designed so that even if the control designed so that even if the control operates as designed, the control operates as designed, the control objective is not always metobjective is not always met
Control DeficiencyControl Deficiency
Deficiency in Deficiency in operationoperation exists when: exists when: a properly designed control does not a properly designed control does not
operate as designed or operate as designed or when the person performing the control when the person performing the control
does not possess the necessary does not possess the necessary authority or qualifications to perform the authority or qualifications to perform the control effectivelycontrol effectively
SIGNIFICANT DEFICIENCY (SAS SIGNIFICANT DEFICIENCY (SAS 112)112)
A control deficiency, or combination of A control deficiency, or combination of control deficiencies, that adversely affects control deficiencies, that adversely affects the entity’s ability to initiate, authorize, the entity’s ability to initiate, authorize, record, process, or report financial data record, process, or report financial data reliably in accordance with generally reliably in accordance with generally accepted accounting principles such that accepted accounting principles such that there is more than a remote likelihood that a there is more than a remote likelihood that a misstatement of the entity’s financial misstatement of the entity’s financial statements that is more than inconsequential statements that is more than inconsequential will not be prevented or detectedwill not be prevented or detected
SIGNIFICANT DEFICIENCY (SAS SIGNIFICANT DEFICIENCY (SAS 115)115)
A deficiency, or a combination of A deficiency, or a combination of deficiencies, in internal control that is deficiencies, in internal control that is less severe than a material less severe than a material weakness, yet important enough to weakness, yet important enough to merit attention by those charged merit attention by those charged with governancewith governance
Material Weakness (SAS Material Weakness (SAS 112)112)
A significant deficiency, or a A significant deficiency, or a combination of significant combination of significant deficiencies, that results in more deficiencies, that results in more than a remote likelihood that a than a remote likelihood that a material misstatement of the material misstatement of the financial statements will not be financial statements will not be prevented or detectedprevented or detected
Material Weakness (SAS Material Weakness (SAS 115)115)
A deficiency, or combination of A deficiency, or combination of deficiencies, in internal control, such deficiencies, in internal control, such that there is a reasonable possibility that there is a reasonable possibility that a material misstatement of the that a material misstatement of the entity’s financial statements will not entity’s financial statements will not be prevented, or detected and be prevented, or detected and corrected on a timely basiscorrected on a timely basis
Material Weakness (SAS Material Weakness (SAS 115)115)
Identification of fraud, whether or not Identification of fraud, whether or not material, on the part of senior material, on the part of senior managementmanagement
Restatement of previously issued Restatement of previously issued financial statements to reflect the financial statements to reflect the correction of a material correction of a material misstatement due to error or fraudmisstatement due to error or fraud
Material Weakness (SAS Material Weakness (SAS 115)115)
Identification by the auditor of a material Identification by the auditor of a material misstatement of the financial statements misstatement of the financial statements under the audit in circumstances that under the audit in circumstances that indicate that the misstatement would not indicate that the misstatement would not have been detected by the entity’s have been detected by the entity’s internal controlinternal control
Ineffective oversight of the entity’s Ineffective oversight of the entity’s financial reporting and internal control by financial reporting and internal control by those charged with governancethose charged with governance
SAS 114SAS 114
Auditor’s communication with those Auditor’s communication with those charged with governancecharged with governance
Supersedes SAS 61Supersedes SAS 61 Requires communication before and Requires communication before and
after the auditafter the audit
SAS 114SAS 114
Planned scope and timing of auditPlanned scope and timing of audit Assist those charged with governance in Assist those charged with governance in
understanding the consequences of the understanding the consequences of the auditor’s workauditor’s work
Discussing issues of risk and materialityDiscussing issues of risk and materiality Identifying any areas that those charged with Identifying any areas that those charged with
governance request the auditor to undertake governance request the auditor to undertake additional proceduresadditional procedures
Assist auditor to understand the entity and its Assist auditor to understand the entity and its environmentenvironment
SAS 114SAS 114
Auditor’s responsibilities under Auditor’s responsibilities under GAASGAAS Significant findings from auditSignificant findings from audit
Qualitative aspects of the entity’s Qualitative aspects of the entity’s significant accounting practices, including significant accounting practices, including policies, estimates, and disclosurespolicies, estimates, and disclosures
Significant difficulties or disagreementsSignificant difficulties or disagreements Uncorrected misstatements, unless trivialUncorrected misstatements, unless trivial Other findings or issuesOther findings or issues
ANY QUESTIONS????ANY QUESTIONS????