risk assessment and the governmental audit presented to:connecticut society of cpa’s date:may 14,...

71
Risk Assessment Risk Assessment and the and the Governmental Audit Governmental Audit Presented to: Presented to: Connecticut Society of CPA’s Connecticut Society of CPA’s Date: Date: May 14, 2008 May 14, 2008 Presented by: Presented by: Christian J. Rogers, CPA, Christian J. Rogers, CPA, Shareholder Shareholder

Upload: james-hunt

Post on 28-Dec-2015

214 views

Category:

Documents


0 download

TRANSCRIPT

Risk Assessment and Risk Assessment and the Governmental Auditthe Governmental Audit

Presented to:Presented to: Connecticut Society of CPA’sConnecticut Society of CPA’s

Date:Date: May 14, 2008May 14, 2008

Presented by:Presented by: Christian J. Rogers, CPA, ShareholderChristian J. Rogers, CPA, Shareholder

May 14, 2008May 14, 2008 22

Today’s AgendaToday’s Agenda Brief discussion of each of the new risk Brief discussion of each of the new risk

assessment standards (“Risk Assessment Suite”), assessment standards (“Risk Assessment Suite”), SAS’s 104 - 111SAS’s 104 - 111

Purpose and objectives of the new standardsPurpose and objectives of the new standards Major changes to current practiceMajor changes to current practice Assessing risks of material misstatementAssessing risks of material misstatement Procedures to perform in response to assessed Procedures to perform in response to assessed

risksrisks Audit documentationAudit documentation Wrap-upWrap-up QuestionsQuestions

May 14, 2008May 14, 2008 33

Risk Assessment SuiteRisk Assessment Suite

SAS No. 104, Amendment to SAS Amendment to SAS No. 1 (Codification of Auditing No. 1 (Codification of Auditing Standards and Procedures)Standards and Procedures)• Expands the definition of “reasonable Expands the definition of “reasonable

assurance” (as cited in the Auditor’s assurance” (as cited in the Auditor’s Opinion) as a “Opinion) as a “highhigh level of assurance”. level of assurance”.

May 14, 2008May 14, 2008 44

Risk Assessment SuiteRisk Assessment Suite

SAS No. 105, Amendment to SAS 95, Amendment to SAS 95, Generally Accepted Auditing StandardsGenerally Accepted Auditing Standards• Reflects new usage of terms required by SAS No. 102.Reflects new usage of terms required by SAS No. 102.

• Second standard of fieldwork modified as follows:Second standard of fieldwork modified as follows: Expands scope from “internal control” to “the entity and its Expands scope from “internal control” to “the entity and its

environment, including its internal control”environment, including its internal control” Extends purpose from “planning the audit” to “assessing Extends purpose from “planning the audit” to “assessing

the risk of material misstatement of the financial the risk of material misstatement of the financial statements whether due to error or fraud”statements whether due to error or fraud”

““Tests to be performed” is replaced with “further audit Tests to be performed” is replaced with “further audit procedures”procedures”

May 14, 2008May 14, 2008 55

Risk Assessment SuiteRisk Assessment Suite

SAS 105 (Continued)SAS 105 (Continued)• Third standard of fieldwork is modified Third standard of fieldwork is modified

as follows:as follows: Eliminates reference to specific audit Eliminates reference to specific audit

procedures (inspection, observation, procedures (inspection, observation, inquiries and confirmation); reference is to inquiries and confirmation); reference is to “audit procedures”“audit procedures”

““Competent evidential matter” is replaced Competent evidential matter” is replaced with “Appropriate audit evidence”with “Appropriate audit evidence”

• Appropriate is defined in SAS 106 (para. 6)Appropriate is defined in SAS 106 (para. 6)

May 14, 2008May 14, 2008 66

Risk Assessment SuiteRisk Assessment Suite

SAS No. 106, Audit Evidence (Amends SAS SAS No. 106, Audit Evidence (Amends SAS 31, Evidential Matter)31, Evidential Matter)• Provides guidance regarding concepts Provides guidance regarding concepts

underlying the third standard of fieldwork:underlying the third standard of fieldwork: ““The auditor must obtain sufficient The auditor must obtain sufficient

appropriate audit evidence by performing appropriate audit evidence by performing audit procedures to afford a reasonable audit procedures to afford a reasonable basis for an opinion regarding the financial basis for an opinion regarding the financial statements under audit.” statements under audit.”

May 14, 2008May 14, 2008 77

Risk Assessment SuiteRisk Assessment Suite

SAS No. 106, Audit Evidence (Continued)SAS No. 106, Audit Evidence (Continued)• Defines audit evidenceDefines audit evidence• Defines and discusses relevant assertions and Defines and discusses relevant assertions and

their use in risk assessment and designing their use in risk assessment and designing appropriate further audit proceduresappropriate further audit procedures

• Discusses qualitative aspects in determining Discusses qualitative aspects in determining the sufficiency and appropriateness of audit the sufficiency and appropriateness of audit evidenceevidence

• Describes various audit procedures and Describes various audit procedures and discusses purposes for which they may be discusses purposes for which they may be performedperformed

May 14, 2008May 14, 2008 88

Risk Assessment SuiteRisk Assessment Suite SAS No. 107, Audit Risk and Materiality (Amends SAS 47)

• Provides guidance on auditor’s consideration of AR and Provides guidance on auditor’s consideration of AR and materiality in a financial statement audit in accordance with materiality in a financial statement audit in accordance with GAASGAAS

• Auditor must consider audit risk and must determine Auditor must consider audit risk and must determine materiality for the financial statements as a whole to:materiality for the financial statements as a whole to:

Determine extent and nature of risk assessment proceduresDetermine extent and nature of risk assessment procedures Identify and assess the risks of material misstatementIdentify and assess the risks of material misstatement Determine the nature, timing and extent of further audit Determine the nature, timing and extent of further audit

proceduresprocedures Evaluate whether the financial statements (taken as a whole) are Evaluate whether the financial statements (taken as a whole) are

presented, in all material respects, in conformity with GAAPpresented, in all material respects, in conformity with GAAP

• AR should be considered at the:AR should be considered at the: Overall financial statement levelOverall financial statement level Relevant assertions related to individual account balances, classes Relevant assertions related to individual account balances, classes

of transactions and disclosure levelof transactions and disclosure level

May 14, 2008May 14, 2008 99

Risk Assessment SuiteRisk Assessment Suite SAS 107 (Continued)SAS 107 (Continued)

• AR at the financial statement level often relate AR at the financial statement level often relate to control environmentto control environment

FraudFraud Competence of managementCompetence of management Related party transactionsRelated party transactions

• AR at the individual account balance, class of AR at the individual account balance, class of transactions and disclosure level consists of 2 transactions and disclosure level consists of 2 components:components:

Combined riskCombined risk• Inherent risk (IR)Inherent risk (IR)• Control risk (CR)Control risk (CR)

Detection risk (DR)Detection risk (DR)

May 14, 2008May 14, 2008 1010

Risk Assessment SuiteRisk Assessment Suite

SAS No. 107 (Continued)SAS No. 107 (Continued)• Determination of materiality is a matter Determination of materiality is a matter

of professional judgmentof professional judgment Based on needs of users of financial Based on needs of users of financial

statementsstatements

• Materiality involves quantitative and Materiality involves quantitative and qualitative characteristicsqualitative characteristics

• The auditor must accumulate and The auditor must accumulate and respond to both known and likely respond to both known and likely misstatementsmisstatements

May 14, 2008May 14, 2008 1111

Risk Assessment SuiteRisk Assessment Suite

SAS 107 (Continued)SAS 107 (Continued)• Auditor must consider the effect (both Auditor must consider the effect (both

individually and in the aggregate) of individually and in the aggregate) of misstatements (known and likely) not misstatements (known and likely) not corrected by the clientcorrected by the client

• Auditor should reassess materiality that Auditor should reassess materiality that was determined during planningwas determined during planning

Additional procedures may need to be Additional procedures may need to be applied to support opinionapplied to support opinion

May 14, 2008May 14, 2008 1212

Risk Assessment SuiteRisk Assessment Suite

SAS 108, Planning and Supervision SAS 108, Planning and Supervision (amends SAS 1 and SAS 22)(amends SAS 1 and SAS 22)• The first standard of fieldwork states:The first standard of fieldwork states:

““The auditor must adequately plan the work The auditor must adequately plan the work and must properly supervise any assistants”and must properly supervise any assistants”

• This statement establishes standards This statement establishes standards and provides guidance when conducting and provides guidance when conducting a GAAS audita GAAS audit

• Planning and supervision is a continuous Planning and supervision is a continuous processprocess

May 14, 2008May 14, 2008 1313

Risk Assessment SuiteRisk Assessment Suite

SAS 108 (Continued)SAS 108 (Continued)• Addresses the following:Addresses the following:

Appointment of the independent auditorAppointment of the independent auditor Establishing written understanding with clientEstablishing written understanding with client Preliminary engagement activitiesPreliminary engagement activities Overall audit strategyOverall audit strategy Audit planAudit plan Extent of involvement of specialistsExtent of involvement of specialists Communication with those CWG and managementCommunication with those CWG and management Additional considerations in initial auditsAdditional considerations in initial audits

May 14, 2008May 14, 2008 1414

Risk Assessment SuiteRisk Assessment Suite

SAS 109, Understanding the Entity and Its SAS 109, Understanding the Entity and Its Environment and Assessing Risks of Environment and Assessing Risks of Material Misstatement (amends, along Material Misstatement (amends, along with SAS 110, SAS 55)with SAS 110, SAS 55)• This statement establishes standards and This statement establishes standards and

provides guidance about implementing the 2provides guidance about implementing the 2ndnd standard of fieldworkstandard of fieldwork

““The auditor must obtain a sufficient understanding The auditor must obtain a sufficient understanding of the entity and its environment, including internal of the entity and its environment, including internal control, to assess the risk of material misstatement of control, to assess the risk of material misstatement of the financial statements whether due to error or the financial statements whether due to error or fraud, and to design the nature, timing and extent of fraud, and to design the nature, timing and extent of further audit procedures”further audit procedures”

May 14, 2008May 14, 2008 1515

Risk Assessment SuiteRisk Assessment Suite

SAS 109 (Continued)SAS 109 (Continued)• In summary, SAS 109 addressesIn summary, SAS 109 addresses

Risk assessment procedures and sources of Risk assessment procedures and sources of information about the entity and its information about the entity and its environment, including ICenvironment, including IC

Understanding the entity and its Understanding the entity and its environment, including ICenvironment, including IC

Assessing the risks of material misstatementAssessing the risks of material misstatement DocumentationDocumentation

May 14, 2008May 14, 2008 1616

Risk Assessment SuiteRisk Assessment Suite

SAS 109 (Continued)SAS 109 (Continued)• Areas of Areas of significant risksignificant risk require special require special

attentionattention Often relate to non-routine transactions and Often relate to non-routine transactions and

judgmental mattersjudgmental matters

• We will discuss this standard in greater We will discuss this standard in greater detail in a little whiledetail in a little while

May 14, 2008May 14, 2008 1717

Risk Assessment SuiteRisk Assessment Suite

SAS 110, Performing Audit Procedures in SAS 110, Performing Audit Procedures in Response to Assessed Risks and Response to Assessed Risks and Evaluating the Audit Evidence Obtained Evaluating the Audit Evidence Obtained (amends, along with SAS 109, SAS 55)(amends, along with SAS 109, SAS 55)• Provides standards and guidance regarding Provides standards and guidance regarding

concepts underlying the third standard of concepts underlying the third standard of fieldwork, which states:fieldwork, which states:

““The auditor must obtain sufficient appropriate audit The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the reasonable basis for an opinion regarding the financial statements under audit.”financial statements under audit.”

May 14, 2008May 14, 2008 1818

Risk Assessment SuiteRisk Assessment Suite

SAS 110 (Continued)SAS 110 (Continued) Determination of overall responsesDetermination of overall responses Designing and performing further audit Designing and performing further audit

proceduresprocedures Evaluating whether the risk assessments Evaluating whether the risk assessments

remain appropriate and to conclude whether remain appropriate and to conclude whether sufficient appropriate audit evidence has sufficient appropriate audit evidence has been obtainedbeen obtained

DocumentationDocumentation

• We will discuss this standard in greater We will discuss this standard in greater detail in a little whiledetail in a little while

May 14, 2008May 14, 2008 1919

Risk Assessment SuiteRisk Assessment Suite

SAS 111, Amendment to SAS 39, SAS 111, Amendment to SAS 39, Audit SamplingAudit Sampling• Provides enhanced guidance on

tolerable misstatement. Generally, misstatement in an account should be less than materiality to allow for aggregation in final assessment.

May 14, 2008May 14, 2008 2020

Purpose and ObjectivesPurpose and Objectives

The Purpose of the New StandardsThe Purpose of the New Standards

• To enhance the auditor’s performance To enhance the auditor’s performance and, as a result, increase the and, as a result, increase the effectiveness of auditseffectiveness of audits

May 14, 2008May 14, 2008 2121

Purpose and ObjectivesPurpose and Objectives The Objectives of the New StandardsThe Objectives of the New Standards

• Requiring a more in-depth understanding of the entity Requiring a more in-depth understanding of the entity and its environment, including its internal control (IC), to and its environment, including its internal control (IC), to identify the risks of material misstatement and what the identify the risks of material misstatement and what the entity is doing to mitigate thementity is doing to mitigate them

• Requiring a more rigorous assessment of the risks of Requiring a more rigorous assessment of the risks of material misstatement based on our understanding of material misstatement based on our understanding of the entity and its ICthe entity and its IC

• Improving linkage between the assessed risks and the Improving linkage between the assessed risks and the nature, timing and extent of audit procedures performed nature, timing and extent of audit procedures performed in response to those risksin response to those risks

May 14, 2008May 14, 2008 2222

Major Changes to Current PracticeMajor Changes to Current Practice

Major ChangesMajor Changes• One size does not fit allOne size does not fit all

Procedures/audit programs must be tailoredProcedures/audit programs must be tailored

• Risk assessment at the assertion levelRisk assessment at the assertion level• Default to maximum control risk is no Default to maximum control risk is no

longer permittedlonger permitted• Potential for higher level (more Potential for higher level (more

experienced) staff required during experienced) staff required during planning and risk assessment stages planning and risk assessment stages (dependent upon your current process)(dependent upon your current process)

May 14, 2008May 14, 2008 2323

Assessing Risks of Material Assessing Risks of Material Misstatement ( RMM)Misstatement ( RMM)

Where do we begin?Where do we begin?• Step 1 - Risk assessment procedures Step 1 - Risk assessment procedures

and sources of information about the and sources of information about the entity and its environment, including ICentity and its environment, including IC

• Step 2 – Understanding the entity and Step 2 – Understanding the entity and its environment, including its ICits environment, including its IC

Let’s get into the detailsLet’s get into the details

May 14, 2008May 14, 2008 2424

Assessing RMMAssessing RMM

Risk Assessment ProceduresRisk Assessment Procedures• Inquiries of management and othersInquiries of management and others• Analytical proceduresAnalytical procedures• Observation and inspectionObservation and inspection• Discussion among audit teamDiscussion among audit team• Other considerationsOther considerations

Let’s discuss each of these in further Let’s discuss each of these in further detaildetail

May 14, 2008May 14, 2008 2525

Assessing RMMAssessing RMM Inquiries of management and othersInquiries of management and others

• Those charged with governanceThose charged with governance• Internal auditorsInternal auditors• Employees who initiate, authorize, process or Employees who initiate, authorize, process or

record complex or unusual transactionsrecord complex or unusual transactions• In-house legal counselIn-house legal counsel• Sales or production personnelSales or production personnel• External partiesExternal parties

Investment managers and financial advisorsInvestment managers and financial advisors AttorneysAttorneys Rating agenciesRating agencies Regulatory bodiesRegulatory bodies

May 14, 2008May 14, 2008 2626

Assessing RMMAssessing RMM

Analytical ProceduresAnalytical Procedures• SAS No. 56 provides guidanceSAS No. 56 provides guidance• Assist in identifying the existence of Assist in identifying the existence of

unusual:unusual: Transactions or eventsTransactions or events AmountsAmounts RatiosRatios TrendsTrends

May 14, 2008May 14, 2008 2727

Assessing RMMAssessing RMM

Analytical Procedures (Continued)Analytical Procedures (Continued)• Expectations should be developed, for Expectations should be developed, for

example:example: Expected change as a result of budgetExpected change as a result of budget Expected change as a result of new revenue Expected change as a result of new revenue

streamstream

• Results is usually only a broad indication Results is usually only a broad indication about whether or not a MM existsabout whether or not a MM exists

• Consider results with other information Consider results with other information gatheredgathered

May 14, 2008May 14, 2008 2828

Assessing RMMAssessing RMM

Observation and InspectionObservation and Inspection• May support inquiries of management May support inquiries of management

and other and provide additional and other and provide additional informationinformation

Observation of activities and operationObservation of activities and operation Inspection of records and internal control Inspection of records and internal control

manualsmanuals Reading reports prepared by management:Reading reports prepared by management:

• Interim financial statementsInterim financial statements• Budget documentsBudget documents

May 14, 2008May 14, 2008 2929

Assessing RMMAssessing RMM

Observation and Inspection Observation and Inspection (Continued)(Continued)

Reading reports (i.e., minutes to meetings) Reading reports (i.e., minutes to meetings) prepared by those charged with governanceprepared by those charged with governance

Internal audit reportsInternal audit reports Facility site visitsFacility site visits Tracing transactions through the information Tracing transactions through the information

system relevant to financial reportingsystem relevant to financial reporting

May 14, 2008May 14, 2008 3030

Assessing RMMAssessing RMM

Audit Team DiscussionAudit Team Discussion• Can be held concurrently with SAS 99 Can be held concurrently with SAS 99

discussiondiscussion• Objective is for audit team to obtain a Objective is for audit team to obtain a

better understanding of the potential for better understanding of the potential for material misstatements and relationship material misstatements and relationship between the result of the procedures between the result of the procedures performed and other aspects of the performed and other aspects of the audit (this is key)audit (this is key)

May 14, 2008May 14, 2008 3131

Assessing RMMAssessing RMM

Audit Team Discussion (Continued)Audit Team Discussion (Continued)• Discussion should include:Discussion should include:

Areas of significant audit riskAreas of significant audit risk Areas susceptible to management overrideAreas susceptible to management override Unusual accounting proceduresUnusual accounting procedures Important IC systemsImportant IC systems Materiality at financial statement and Materiality at financial statement and

account levelaccount level Application of GAAP related to the entityApplication of GAAP related to the entity

May 14, 2008May 14, 2008 3232

Assessing RMMAssessing RMM

Other items for considerationOther items for consideration• Results of SAS 99 proceduresResults of SAS 99 procedures• Results of prior year auditsResults of prior year audits

Should determine if changes have occurred Should determine if changes have occurred that could affect the relevance of that that could affect the relevance of that informationinformation

• Communications with the client in Communications with the client in between audit cyclesbetween audit cycles

May 14, 2008May 14, 2008 3333

Assessing RMMAssessing RMM

Understanding the Entity and its Understanding the Entity and its Environment, Including its ICEnvironment, Including its IC• Includes the following aspectsIncludes the following aspects

1.1. Industry, regulatory and other external factorsIndustry, regulatory and other external factors

2.2. Nature of the entityNature of the entity

3.3. Objectives and strategies and the related business Objectives and strategies and the related business risks that may result in a material misstatementrisks that may result in a material misstatement

4.4. Measurement and review of the entity’s financial Measurement and review of the entity’s financial performanceperformance

5.5. Internal control, which includes the selection and Internal control, which includes the selection and application of accounting policiesapplication of accounting policies

May 14, 2008May 14, 2008 3434

Assessing RMMAssessing RMM

For items 1 through 4 above, the For items 1 through 4 above, the auditor should consider the auditor should consider the following:following:

• Industry, regulatory and other external Industry, regulatory and other external factorsfactors

Industry conditionsIndustry conditions• Market and competitionMarket and competition• Cyclical or seasonal activityCyclical or seasonal activity• Budgetary constraints at the state and/or federal Budgetary constraints at the state and/or federal

levellevel

May 14, 2008May 14, 2008 3535

Assessing RMMAssessing RMM

Regulatory environmentRegulatory environment• Industry-specific practicesIndustry-specific practices• Legislation and regulation that significantly affect Legislation and regulation that significantly affect

the entity’s operationsthe entity’s operations Direct supervisory activitiesDirect supervisory activities Regulatory requirementsRegulatory requirements

• TaxesTaxes• EnvironmentalEnvironmental

External factorsExternal factors• Recession, growth, etc.Recession, growth, etc.• Interest ratesInterest rates• InflationInflation

May 14, 2008May 14, 2008 3636

Assessing RMMAssessing RMM• Nature of the entityNature of the entity

Business operationsBusiness operations• Nature of revenue sourcesNature of revenue sources• Products or services and the related marketProducts or services and the related market• Related party transactionsRelated party transactions• Location of facilitiesLocation of facilities

InvestmentsInvestments• In joint ventures, special-purpose entities, etc.In joint ventures, special-purpose entities, etc.• In plant and equipmentIn plant and equipment

FinancingFinancing• Use of derivativesUse of derivatives• LeasingLeasing• DebtDebt

Financial reportingFinancial reporting• Accounting principles and industry-specific practicesAccounting principles and industry-specific practices• Revenue recognition practicesRevenue recognition practices• Foreign currency transactionsForeign currency transactions• Unusual and complex transactionsUnusual and complex transactions

May 14, 2008May 14, 2008 3737

Assessing RMMAssessing RMM

• Objectives and Strategies and Related Objectives and Strategies and Related Business RisksBusiness Risks

New products or servicesNew products or services Industry developmentsIndustry developments New accounting and regulatory requirementsNew accounting and regulatory requirements

• Measurement and Review of Financial Measurement and Review of Financial PerformancePerformance

Key performance indicatorsKey performance indicators TrendsTrends Analyst reports and credit ratingsAnalyst reports and credit ratings

Appendix A of SAS 109 includes more Appendix A of SAS 109 includes more examples of matters that the auditor may examples of matters that the auditor may considerconsider

May 14, 2008May 14, 2008 3838

Assessing RMMAssessing RMM

Internal ControlInternal Control• A process, effected by those charged A process, effected by those charged

with governance, management and with governance, management and other personnel, designed to provide other personnel, designed to provide reasonable assurance about the reasonable assurance about the achievement of the entity’s objectives achievement of the entity’s objectives regarding the reliability of financial regarding the reliability of financial reporting, effectiveness and efficiency of reporting, effectiveness and efficiency of operations, and compliance with operations, and compliance with applicable laws and regulations.applicable laws and regulations.

May 14, 2008May 14, 2008 3939

Assessing RMMAssessing RMM

Internal Control (Continued)Internal Control (Continued)• Auditor should obtain an understanding Auditor should obtain an understanding

of the five components of IC sufficient to of the five components of IC sufficient to assess RMM (due to error or fraud), and assess RMM (due to error or fraud), and to design the nature, timing and extent to design the nature, timing and extent of further audit proceduresof further audit procedures

May 14, 2008May 14, 2008 4040

Assessing RMMAssessing RMM

Internal Control (Continued)Internal Control (Continued)• The COSO framework:The COSO framework:

May 14, 2008May 14, 2008 4141

Assessing RMMAssessing RMM

Internal Control (Continued)Internal Control (Continued)• Control EnvironmentControl Environment

The foundation for all other IC componentsThe foundation for all other IC components Sets organizational toneSets organizational tone

• Risk AssessmentRisk Assessment Entity’s identification and analysis of relevant risks in Entity’s identification and analysis of relevant risks in

achieving objectivesachieving objectives Forms a basis for how those risks should be managedForms a basis for how those risks should be managed

• Information and CommunicationsInformation and Communications Supports the identification, capture and exchange of Supports the identification, capture and exchange of

information in a form and timeframe that enable information in a form and timeframe that enable people to carry out their responsibilitiespeople to carry out their responsibilities

May 14, 2008May 14, 2008 4242

Assessing RMMAssessing RMM

Internal Control (Continued)Internal Control (Continued)• Control activitiesControl activities

The policies and procedures that ensure that The policies and procedures that ensure that management’s directives are carried outmanagement’s directives are carried out

• MonitoringMonitoring Assesses the quality of IC performance over Assesses the quality of IC performance over

timetime

May 14, 2008May 14, 2008 4343

Assessing RMMAssessing RMM

Internal Control (Continued)Internal Control (Continued)• Depth of understanding ICDepth of understanding IC

Evaluate design of controls relevant to the auditEvaluate design of controls relevant to the audit• Is the control capable, individually or collectively, of Is the control capable, individually or collectively, of

effectively preventing or detecting and correcting effectively preventing or detecting and correcting material misstatementsmaterial misstatements

Determine whether the applicable controls have been Determine whether the applicable controls have been implemented (the control exists and the entity is implemented (the control exists and the entity is using it)using it)

The design of the control should be considered in The design of the control should be considered in determining whether to consider its implementationdetermining whether to consider its implementation

• If the design is deficient, it’s implementation is If the design is deficient, it’s implementation is ineffectiveineffective

May 14, 2008May 14, 2008 4444

Assessing RMMAssessing RMM

Internal Control (Continued)Internal Control (Continued) Perform risk assessment procedures to Perform risk assessment procedures to

obtain understanding of ICobtain understanding of IC• Inquiry of personnelInquiry of personnel• Observation of the application of specific controlsObservation of the application of specific controls• Inspecting documents and reportsInspecting documents and reports• Tracing transactions through the financial Tracing transactions through the financial

reporting systemreporting system Inquiry alone is not sufficientInquiry alone is not sufficient

May 14, 2008May 14, 2008 4545

Assessing RMMAssessing RMM

Assessing RMMAssessing RMM• Now that we have obtained our Now that we have obtained our

understanding and performed our risk understanding and performed our risk assessment procedures it is time to assessment procedures it is time to assess the RMMassess the RMM

The assessment must be made at the The assessment must be made at the financial statement level and relevant financial statement level and relevant assertion level related to:assertion level related to:

• Classes of transactionsClasses of transactions• Account balancesAccount balances• DisclosuresDisclosures

May 14, 2008May 14, 2008 4646

Assessing RMMAssessing RMM

Assessing RMM (Continued)Assessing RMM (Continued) Risks should be identified throughout the process of Risks should be identified throughout the process of

obtaining understanding of the entity and its obtaining understanding of the entity and its environment, including relevant controls that relate environment, including relevant controls that relate to risks, and consider the classes of transactions, to risks, and consider the classes of transactions, account balances and disclosuresaccount balances and disclosures

Relate identified risks to what can go wrong at the Relate identified risks to what can go wrong at the relevant assertion levelrelevant assertion level

Consider whether risks are of magnitude that could Consider whether risks are of magnitude that could result in material misstatementresult in material misstatement

Consider the likelihood that the risks could result in Consider the likelihood that the risks could result in material misstatementmaterial misstatement

May 14, 2008May 14, 2008 4747

Assessing RMMAssessing RMM

Assessing RMM (Continued)Assessing RMM (Continued) Determine whether risks relate to specific Determine whether risks relate to specific

relevant assertions or to the financial relevant assertions or to the financial statements as a whole (weak control statements as a whole (weak control environment)environment)

Risk assessment is used to determine the Risk assessment is used to determine the nature, timing and extent of further audit nature, timing and extent of further audit procedures to be performedprocedures to be performed

If the expectation is that controls are If the expectation is that controls are operating effectively at the relevant operating effectively at the relevant assertion level, tests of controls must be assertion level, tests of controls must be performedperformed

May 14, 2008May 14, 2008 4848

Assessing RMMAssessing RMM

Assessing RMM (Continued)Assessing RMM (Continued)• Significant RisksSignificant Risks

Require special audit considerationRequire special audit consideration Based on auditor’s judgmentBased on auditor’s judgment Considerations include:Considerations include:

• Inherent riskInherent risk• Risk of fraudRisk of fraud• Related to recent significant economic, accounting or Related to recent significant economic, accounting or

other developmentsother developments• ComplexityComplexity• Related partiesRelated parties• Significant nonroutine transactionsSignificant nonroutine transactions• Significant estimatesSignificant estimates

May 14, 2008May 14, 2008 4949

Assessing RMMAssessing RMM

Assessing RMM (Continued)Assessing RMM (Continued) Auditor’s response:Auditor’s response:

• If the auditor has not already done so, evaluate If the auditor has not already done so, evaluate design of the entity’s controls related to the risksdesign of the entity’s controls related to the risks

• This will be discussed further in the next section, This will be discussed further in the next section, Performing Procedures in Response to Assessed Performing Procedures in Response to Assessed RisksRisks

May 14, 2008May 14, 2008 5050

Procedures to be PerformedProcedures to be Performed

How do we respond to our RMM?How do we respond to our RMM? There are two types of responsesThere are two types of responses

• Overall responses at the financial Overall responses at the financial statement levelstatement level

Maintain professional skepticismMaintain professional skepticism Assigning more experienced staffAssigning more experienced staff Using specialistsUsing specialists Performing procedures at year-end rather Performing procedures at year-end rather

than during the interimthan during the interim

May 14, 2008May 14, 2008 5151

Procedures to be PerformedProcedures to be Performed

• Responses at the relevant assertion Responses at the relevant assertion levellevel

Auditors should design and perform further Auditors should design and perform further audit procedures whose nature, timing and audit procedures whose nature, timing and extent are based on/responsive to the RMMextent are based on/responsive to the RMM

The purpose is to provide clear linkage The purpose is to provide clear linkage between the procedures performed and the between the procedures performed and the RMMRMM

May 14, 2008May 14, 2008 5252

Procedures to be PerformedProcedures to be Performed

• Responses at the relevant assertion Responses at the relevant assertion level (Continued)level (Continued)

ConsiderationsConsiderations• Significance of the riskSignificance of the risk• Likelihood of material misstatementLikelihood of material misstatement• Characteristics of the class of transactions, Characteristics of the class of transactions,

account balance, or disclosure involvedaccount balance, or disclosure involved• Nature of the specific controls used by the entity Nature of the specific controls used by the entity

being audited (manual vs. automated)being audited (manual vs. automated)• Whether the auditor expects to test controlsWhether the auditor expects to test controls

May 14, 2008May 14, 2008 5353

Procedures to be PerformedProcedures to be Performed

Audit approachAudit approach• Risk assessment at the relevant assertion level Risk assessment at the relevant assertion level

is the basis for the auditors approachis the basis for the auditors approach• Must have a basis to default to maximum Must have a basis to default to maximum

control riskcontrol risk• Can be a combination of tests of controls and Can be a combination of tests of controls and

substantive proceduressubstantive procedures• Even if controls are determined to be Even if controls are determined to be

functioning effectively, substantive procedures functioning effectively, substantive procedures must be performedmust be performed

Effective internal controls only reduce, not eliminate, Effective internal controls only reduce, not eliminate, the RMMthe RMM

May 14, 2008May 14, 2008 5454

Procedures to be PerformedProcedures to be Performed

Audit Approach (Continued)Audit Approach (Continued)• Analytical procedures alone may not be Analytical procedures alone may not be

sufficientsufficient Allowance for doubtful accountsAllowance for doubtful accounts IBNR accrualsIBNR accruals

• Regardless of the approach, the auditor Regardless of the approach, the auditor should perform substantive procedures should perform substantive procedures for all relevant assertions related to for all relevant assertions related to each material class of transactions, each material class of transactions, account balance and disclosureaccount balance and disclosure

May 14, 2008May 14, 2008 5555

Procedures to be PerformedProcedures to be Performed

Nature, Timing and ExtentNature, Timing and Extent• NatureNature

Refers to purpose (tests of controls or Refers to purpose (tests of controls or substantive procedures) and type substantive procedures) and type (inspection, observation, recalculation, (inspection, observation, recalculation, analytical, etc.)analytical, etc.)

Based on RMM at relevant assertion levelBased on RMM at relevant assertion level If information is being used from the entity’s If information is being used from the entity’s

information system for audit procedures, information system for audit procedures, evidence should be obtained about the evidence should be obtained about the accuracy and completeness of that accuracy and completeness of that informationinformation

May 14, 2008May 14, 2008 5656

Procedures to be PerformedProcedures to be Performed

Nature, Timing and Extent (Continued)Nature, Timing and Extent (Continued)• TimingTiming

Audit procedures performed at interim period or end-Audit procedures performed at interim period or end-of-periodof-period

If procedures are performed at an interim period, the If procedures are performed at an interim period, the auditor should consider the additional evidence that auditor should consider the additional evidence that is necessary for the remaining periodis necessary for the remaining period

ConsiderationsConsiderations• Control environmentControl environment• Nature of riskNature of risk

Certain procedures can only be performed at year-Certain procedures can only be performed at year-endend

• Reconciling accounting records to financial statementsReconciling accounting records to financial statements• Examining financial statement adjustmentsExamining financial statement adjustments

May 14, 2008May 14, 2008 5757

Procedures to be PerformedProcedures to be Performed

• ExtentExtent Based on auditor’s judgment after Based on auditor’s judgment after

consideringconsidering• Tolerable misstatementTolerable misstatement• RMMRMM• The degree of assurance the auditor plans to The degree of assurance the auditor plans to

obtainobtain The higher the RMM, the more likely an The higher the RMM, the more likely an

increase in the extent of audit proceduresincrease in the extent of audit procedures• Only effective if the audit procedures is relevant Only effective if the audit procedures is relevant

to the specific risk and reliable; therefore the to the specific risk and reliable; therefore the nature of the audit procedure is the most nature of the audit procedure is the most important considerationimportant consideration

May 14, 2008May 14, 2008 5858

Procedures to be PerformedProcedures to be Performed

Tests of ControlsTests of Controls• Should be performed when:Should be performed when:

Auditor, based on risk assessment, relies on the Auditor, based on risk assessment, relies on the effectiveness of controlseffectiveness of controls

Substantive procedures alone do not provide Substantive procedures alone do not provide appropriate audit evidence at the relevant assertion appropriate audit evidence at the relevant assertion levellevel

• Inquiry alone is not sufficient audit evidenceInquiry alone is not sufficient audit evidence• Use a combination of proceduresUse a combination of procedures

Inquiry and observationInquiry and observation Inspection and re-performanceInspection and re-performance

May 14, 2008May 14, 2008 5959

Procedures to be PerformedProcedures to be Performed

Tests of Controls (Continued)Tests of Controls (Continued)• Auditor may use evidence obtained in prior Auditor may use evidence obtained in prior

auditsaudits However, auditor should obtain evidence about However, auditor should obtain evidence about

whether or not changes have occurred to the whether or not changes have occurred to the applicable controlsapplicable controls

If controls have changed from prior audit, the auditor If controls have changed from prior audit, the auditor should re-test the controlsshould re-test the controls

Considerations:Considerations:• Effectiveness of other IC elements (control Effectiveness of other IC elements (control

environment, risk assessment, monitoring)environment, risk assessment, monitoring)• Effectiveness of IT general controlsEffectiveness of IT general controls• Risk of material misstatement and the extent of Risk of material misstatement and the extent of

reliance on the controlreliance on the control

May 14, 2008May 14, 2008 6060

Procedures to be PerformedProcedures to be Performed

Tests of Controls (Continued)Tests of Controls (Continued)• Auditor should test controls at least once in Auditor should test controls at least once in

every third year of an annual auditevery third year of an annual audit Unless the control is related to a significant risk, Unless the control is related to a significant risk,

whereby the control must be tested for the current whereby the control must be tested for the current audit periodaudit period

• Conditions that could decrease the period for Conditions that could decrease the period for re-testing a control; or cause the auditor to not re-testing a control; or cause the auditor to not rely on evidence obtained in prior audits:rely on evidence obtained in prior audits:

Weak control environmentWeak control environment Weak monitoring controlsWeak monitoring controls Significant personnel changesSignificant personnel changes Weak IT controlsWeak IT controls

May 14, 2008May 14, 2008 6161

Procedures to be PerformedProcedures to be Performed

Substantive Procedures (SP)Substantive Procedures (SP)• To reiterate, regardless of the assessed RMM, To reiterate, regardless of the assessed RMM,

the auditor should design and perform the auditor should design and perform substantive procedures for all relevant substantive procedures for all relevant assertions related to each material class of assertions related to each material class of transactions, account balance and disclosuretransactions, account balance and disclosure

• SP should include the following regarding the SP should include the following regarding the financial statement reporting process:financial statement reporting process:

Reconciling the financial statements (including notes) Reconciling the financial statements (including notes) to the underlying accounting recordsto the underlying accounting records

Examining material journal entries and other Examining material journal entries and other adjustments made when preparing the financial adjustments made when preparing the financial statementsstatements

May 14, 2008May 14, 2008 6262

Procedures to be PerformedProcedures to be Performed SP (Continued)SP (Continued)

• SP includes tests of details and substantive analytical SP includes tests of details and substantive analytical proceduresprocedures

Tests of detailsTests of details• Ordinarily applicable to obtain audit evidence with regards to Ordinarily applicable to obtain audit evidence with regards to

relevant assertions about account balances, including relevant assertions about account balances, including existence and valuationexistence and valuation

Substantive analytical proceduresSubstantive analytical procedures• Ordinarily applicable to large volumes of transactions that tend Ordinarily applicable to large volumes of transactions that tend

to be predictable over timeto be predictable over time

• The auditor’s determination of SP are affected by The auditor’s determination of SP are affected by whether evidence has been obtained about the whether evidence has been obtained about the operating effectiveness of controlsoperating effectiveness of controls

• The greater the RMM, the less detection risk that can be The greater the RMM, the less detection risk that can be acceptedaccepted

Result: Greater the extent of SPResult: Greater the extent of SP

May 14, 2008May 14, 2008 6363

Procedures to be PerformedProcedures to be Performed

SP (Continued)SP (Continued)• Significant risksSignificant risks

Auditor should design and perform SP that Auditor should design and perform SP that specifically respond to the risk(s)specifically respond to the risk(s)

Perform tests of details, or a combination of Perform tests of details, or a combination of tests of details and analytical procedurestests of details and analytical procedures

• Analytical procedures alone (as it relates to Analytical procedures alone (as it relates to significant risks) is not sufficient appropriate audit significant risks) is not sufficient appropriate audit evidenceevidence

May 14, 2008May 14, 2008 6464

Procedures to be PerformedProcedures to be Performed

Adequacy of Presentation and Adequacy of Presentation and DisclosureDisclosure• Auditor should perform audit procedures Auditor should perform audit procedures

to evaluate whether the overall to evaluate whether the overall presentation of the financial statements, presentation of the financial statements, including the related disclosures, are in including the related disclosures, are in accordance with GAAPaccordance with GAAP

May 14, 2008May 14, 2008 6565

Procedures to be PerformedProcedures to be Performed

Evaluating the Sufficiency and Evaluating the Sufficiency and Appropriateness of the Audit Evidence Appropriateness of the Audit Evidence ObtainedObtained• Based on audit procedures performed, Based on audit procedures performed,

evaluate whether the assessments of the RMM evaluate whether the assessments of the RMM remain appropriateremain appropriate

• Audit evidence obtained may cause the auditor Audit evidence obtained may cause the auditor to modify the nature, timing and extent of to modify the nature, timing and extent of proceduresprocedures

• The auditor should not assume that instances The auditor should not assume that instances of fraud and/or errors are isolatedof fraud and/or errors are isolated

May 14, 2008May 14, 2008 6666

Procedures to be PerformedProcedures to be Performed

• The sufficiency and appropriateness of audit The sufficiency and appropriateness of audit evidence are a matter of professional judgment evidence are a matter of professional judgment and is influenced by factors such as:and is influenced by factors such as:

Persuasiveness of audit evidencePersuasiveness of audit evidence Understanding of the entity, including ICUnderstanding of the entity, including IC Effectiveness of management’s responses and Effectiveness of management’s responses and

controls to address the riskscontrols to address the risks Source and reliability of informationSource and reliability of information Significance of the potential misstatement in the Significance of the potential misstatement in the

relevant assertion and the likelihood of material relevant assertion and the likelihood of material misstatement (individually and collectively)misstatement (individually and collectively)

May 14, 2008May 14, 2008 6767

Audit DocumentationAudit Documentation

What should the auditor document?What should the auditor document?• In a nutshell, EVERYTHING!!In a nutshell, EVERYTHING!!

The manner that audit evidence is The manner that audit evidence is documented is based on auditor’s documented is based on auditor’s judgmentjudgment

SAS 103, SAS 103, Audit DocumentationAudit Documentation, , provides general guidance and provides general guidance and common techniquescommon techniques

May 14, 2008May 14, 2008 6868

Audit DocumentationAudit Documentation Documentation specificsDocumentation specifics

• Key elements when obtaining understanding of Key elements when obtaining understanding of entity and its environment, including ICentity and its environment, including IC

• Audit team discussionAudit team discussion• RMM at the financial statement and relevant RMM at the financial statement and relevant

assertion levelsassertion levels• Significant audit risksSignificant audit risks• Overall responses to RMMOverall responses to RMM• Nature, timing and extent of further audit Nature, timing and extent of further audit

proceduresprocedures• The linkage of the procedures performed to the The linkage of the procedures performed to the

risks at the relevant assertion levelrisks at the relevant assertion level

May 14, 2008May 14, 2008 6969

Wrap-upWrap-up

Culture changeCulture change Most of this is not new; but the approach Most of this is not new; but the approach

may change.may change.• How much will vary dependent upon your How much will vary dependent upon your

current approachcurrent approach Partners and managers should be involved Partners and managers should be involved

early in the processearly in the process• This will assist with properly identifying RMM This will assist with properly identifying RMM

and designing the nature, timing and extent of and designing the nature, timing and extent of further audit proceduresfurther audit procedures

May 14, 2008May 14, 2008 7070

Wrap-upWrap-up

More than likely, you will not get it More than likely, you will not get it right the first timeright the first time

Continued education of audit staffContinued education of audit staff• This will be critical in achieving an This will be critical in achieving an

effective and efficient auditeffective and efficient audit Educate your clientsEducate your clients

• Costs will need to be passed onCosts will need to be passed on SAS 112 considerationsSAS 112 considerations

May 14, 2008May 14, 2008 7171

QuestionsQuestions

Anyone, anyone, Bueller?Anyone, anyone, Bueller?