RISK ASSESSMENT STANDARDS WHAT YOU NEED TO KNOW NEELY DUNCAN, CPA, CFE, FCPA AUDIT MANAGER 1 June...

RISK ASSESSMENT STANDARDS WHAT YOU NEED TO KNOW

NEELY DUNCAN, CPA, CFE, FCPAAUDIT MANAGER

1

June 19, 2008

Introduction2

Welcome

Agenda

Risk assessment standards

Impact on your audit

Benefits to your organization

Requirements

Internal control deficiencies

What can you do to help (and keep audit costs

down)

Lane Gorman Trubitt, L.L.P. 6/19/08

Risk Assessment Standards3

Auditing profession continually reviews practices and makes

necessary improvements.

Goal is to maintain and enhance the quality of independent

audits and achieve international convergence

Post Enron and Sarbanes-Oxley - Higher expectations of auditors

Require sweeping changes in our audit process.

Will result in increased effort by both your company and your

auditors.

Effective for audits of financial statements for periods beginning on

or after December 15, 2006.


What is Risk Assessment?4

More focused audit approach.

Considers at a detailed level what can go wrong in your

accounting records and in the preparation of your financial

statements.

Identifies areas where material errors or fraud are

more likely to occur.

Concentrates audit effort in those areas.

Depends on the depth of our understanding of your company,

industry, and internal controls.



SAS 104 Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards & Procedures

SAS 105 Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards

SAS 106 Audit Evidence

SAS 107 Audit Risk & Materiality in Conducting an Audit

SAS 108 Planning & Supervision

SAS 109 Understanding the Entity and Its Environment & Assessing the Risks of Material Misstatement

SAS 110 Performing Audit Procedures in Response to Assessed Risks & Evaluating the Audit Evidence Obtained

SAS 111 Amendment to Statement on Auditing Standards No. 39, Audit Sampling

SAS 114 The Auditor’s Communication With Those Charged With Governance



The objectives of the SASs are to improve audit effectiveness

by requiring:

A more in-depth understanding of the entity and its

environment, including its internal control.

More rigorous assessment of the risks of material misstatement

(whether caused by error or fraud) of the financial statements.

A linkage between the assessed risks and the nature, timing,

and extent of audit procedures performed in response to those

risks.


Impact to 2007 audits7

Planning and supervision Signed engagement letter before planning starts. Approved communication from Audit Committee. Requires more time from managers. Knowledge of business and internal control assessment will add

substantially more time.

Inquiry regarding internal control not enough – need to verify by doing walkthroughs of all major cycles.

Required to assess key IT controls, security & changes – may need IT specialist.

Obtain Type II SAS 70 reports for significant outsourced services – for instance, payroll, claims processing, etc.

Three planning meetings will be necessary for your auditors. Determine what info to gather and how – walkthroughs, etc. Perform risk assessment including fraud brainstorming Responses to risks – develop audit plan and tailor programs


Impact to 2007 audits (cont)8

Risk assessment

Risk based audit approach required – not a philosophical change for us.

No longer can assess control risk at maximum and do no work on

controls.

Risk assessment much more detailed than we used in the past.

Risk by assertions to transaction cycle, accounts and disclosures

Documentation increased

Linkage to audit assertions, procedures, workpapers and conclusions

Will require more time from audit team management.


Impact to 2007 audits (cont)9

Other matters Many more management letter comments. Some

clients will view this as adding value while others will view this as a problem.

2006 saw that all clients had at least one material weakness – they don’t prepare their F/S, we do. This will be reported every year, unless the client can take responsibility for them.

Bottom line estimated impact to fees: Industry says 15-40% Our estimate 10-15%


What are the Benefits to You?10

A more thorough, effective, and focused audit. We will be better able to—

Provide useful information Identify problems or opportunities and make

recommendations Assist with special projects

Recommended improvements can help you avoid unexpected losses or expenses.

Better overall internal control.


What are the Requirements?11

Obtain a more in-depth understanding of your company and its operating environment, including internal controls.

Identify the specific risks of material errors or fraud occurring and remaining undetected by you, along with the actions you are taking to mitigate those risks.

Perform a rigorous assessment of the risks of material misstatement of your financial statements based on that understanding.

Link that risk assessment with the resulting audit procedures.

Meet new documentation requirements.

Obtain UnderstandingObtain Understanding

Identify RisksIdentify Risks

Perform Risk Assessment


Link Risk Assessment to Audit Procedures


Meet New Documentation Requirements



In-depth Understanding Of Company

12

Auditors are required to gather information to gain an in-depth understanding of the company and its environment.

Obtain UnderstandingObtain Understanding

Includes the following aspects: External factors Nature of the client Objectives and strategies and related business risks Measurement and review of the company’s financial

performance Internal control


Identify Risks of Material Misstatements

13

Consider: Significance of transactions, account balances,

and disclosures to the financial statements Effectively designed controls that are in place

Identify RisksIdentify Risks

Based on the auditor’s understanding of the design and implementation of the company’s controls, identify those areas where material errors or fraud could occur.


Perform Risk Assessment14

Required to assess the risk of material misstatement at:

Financial statement level – pervasive to financial statements as a whole and potentially affect many relevant assertions

Relevant assertion level – relate to specific classes of transactions, account balances, and disclosures at the assertion level




Perform Risk Assessment (continued)

15

Financial statement level risks should be

related back to specific assertions.

Examples of financial statement level

risks –

Overall weak control environment

Lack of qualified personnel in financial

reporting roles

Management's process for making

significant accounting estimates




Perform Risk Assessment (continued)

16

Examples of relevant assertion level

risks –

Existence of accounts receivable

Occurrence of sales

Valuation of inventory

Presentation and disclosure of debt

covenant compliance




Assertions17

What are assertions?

Management’s implicit or explicit representations

regarding the recognition, measurement, presentation

and disclosure of information in the financial

statements

Our audit approach is generally directed at specific

assertions in order to properly link the assessed

risks to our audit procedures.



18

Assessment of risk of material misstatement (at both the financial statement and assertion level) should be directly linked to the design and performance of audit procedures.

Audit programs and checklists must be tailored to reflect this linkage.

Examples – Significant accruals that are subject to

complex estimation Inventory quantities that are difficult to

count could be misstated




New Documentation Requirements

19

Auditors must have and document an appropriate basis for the audit approach.

This requirement eliminates the ability to assess control risk “at the maximum” without having a basis for the assessment (aka “default to max”).

“Default to max” – means placing no reliance on a company’s internal control and performing primarily detailed, substantive testing.

Typically, “defaulting to max” was considered to be more efficient for companies with a limited control environment. Meet New

Documentation Requirements



New Documentation Requirements (cont.)

20

Audit documentation must be prepared in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand: The nature, timing and extent of auditing

procedures

The results of the audit procedures performed and the audit evidence obtained

The conclusions reached on significant matters; and

That the accounting records agree or reconcile with the audited financial statements or other audited information




Internal Control Deficiencies21

Internal Control Deficiencies fall into three categories under SAS 112:

Control Deficiency - A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Can be communicated by the auditors verbally.

Significant Deficiency - A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected. Must be communicated by the auditors in writing.

Material Weakness - A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. Must be communicated by the auditors in writing.


Objectives – Internal Control22

What is internal control?

Who is involved in internal control?

How to improve internal control


What is Internal Control?23

Establish effective control environment

Identify “what can go wrong?” (risk assessment)

Implement controls to manage risk (control activities)

Implement reliable information system & communicate

Monitor control performance


What is Internal Control? (continued)

24

Entity level controls – Controls that affect the entire organization.

“Tone at the Top” What can go wrong; anti-fraud programs Assignment of authority Distribution of financial information; IT general controls Accountability by departments/functions

Activity level controls – Controls that capture, process, communicate information.

Transaction cycle controls Segregation of duties


Entity-Level Controls

Control Environment

Attitudes, awareness, actions of Owners/Management (those charged with “governance”)

Risk Assessment How Owners/Management consider risks and take actions to address them

Control Activities Anti-fraud controls IT general controls

Information & Communication

Capture events that affect reporting

Communicate reporting roles/responsibilities

Monitoring High-level activities that monitor controls/ overall accountability

25Lane Gorman Trubitt, L.L.P. 6/19/08

Entity-Level Controls (continued)26

What about Smaller Entities?

Smaller entities may use less formal means and processes to achieve their control objectives.

Therefore certain components of internal control may not be clearly distinguished, but the underlying purpose is equally valid.


Who is Involved with Internal Control?

27

Management has primary responsibility.

Not just for the accounting department.

Consider all aspects of the company that impact

internal controls

Examples:

Hiring, Training, Promoting

Operations

Sales


Activity Level Controls

Information Procedures to initiate, record, process and report transactions

Control Activities Policies and procedures related to assertions

IT application controls Segregation of duties,

safeguard assets, reconciliations

28

Classes of Transactions Account Balances Disclosures


How to Improve Internal Control29

Ask “what can go wrong?”

Design controls to mitigate the risk.

Monitor control performance.

Set an appropriate tone at the top.

Exercise oversight of the financial reporting process.

Consider control recommendations identified by

auditors.


What Can You Do to Help?30

Document your key controls and perform your own risk

assessment.

Respond promptly to inquiries and document requests.

Expect and prepare your staff for walkthroughs.

Communicate your questions or concerns.

Look at this as an opportunity to improve controls not another

“hoop to jump through”.


RISK ASSESSMENT STANDARDS WHAT YOU NEED TO KNOW NEELY DUNCAN, CPA, CFE, FCPA AUDIT MANAGER 1 June...

Documents

Transcript of RISK ASSESSMENT STANDARDS WHAT YOU NEED TO KNOW NEELY DUNCAN, CPA, CFE, FCPA AUDIT MANAGER 1 June...