Auditing and Attest Standards Update Florida Government Finance Officers Association

1
Auditing and Attest Standards UpdateFlorida
Government Finance Officers Association

• May 19, 2008
• Harold L. Monk, Jr. CPA, CFE

2
Session Objectives

• Discuss recent ASB activity and obtain an
  understanding of recently issued auditing and
  quality control standards.
• Discuss other recent audit activities and obtain
  an understanding of guidance available to assist
  practitioners in improving the effectiveness and
  efficiency of their engagements and practices.

3
Recent Auditing Standards Board Activities

• Clarity Project

4
Clarity

• Background
• Discussion paper issued March 2007
• ASB considered comments received and approved
  direction forward August 2007
• Goals
• Address concerns over length and complexity of
  standards
• Make standards easier to read, understand and
  implement
• Will lead to enhancements in audit quality

5
Clarity Drafting Conventions

• Introduction
• Objective
• Definitions
• Terms used in the SAS are defined
• Establish separate glossary of terms
• Requirements and Application Material

6
Objective

• Create objectives for each standard
• Establish obligation relating to the objective
• Provide a framework for the application of
  professional judgment
• Outcome based goal
• Difficult to achieve the overall objective of the
  audit if individual objectives are not achieved

7
Requirements and Application Material

• Application and other explanatory material
  presented in a separate section that follows the
  requirements
• Application and other explanatory material
  paragraphs numbered using an A prefix
• Cross-referencing between requirements and
  related application material

8
Other

• Special considerations sections
• for governmental entities
• for smaller, less complex entities

9
Clarity and Convergence

• Convergence with ISAs
• Removal of unnecessary differences
• Supplemental materials with EDs
• Exhibit of substantive differences with ISA
• Mapping of the requirements and guidance
  contained within extant AU section to the
  proposed SAS and
• Schedule of proposed changes in requirements and
  explanatory material as a result of redrafting.
• Schedule of detailed changes in language between
  the proposed SAS and the ISA.

10
Audit and Attest UpdateClarity Project

• Project will take 2 - 3 years to complete
• During this period, few new standards will be
  issued
• Only those that are needed to respond to emerging
  issues (e.g. SAS 74)
• Clarified standards will be exposed over the
  next few years and finalized
• Target date for final approval June 2010

11
Audit and Attest UpdateClarity Project

• Once finalized, theyll be made available to
  practitioners.
• However, the standards will not become effective
  piecemeal.
• With limited exceptions, all clarified
  standards will become effect at the same time
• Most likely 2011

12
Audit and Attest Update

• Risk Assessment Standards
• SASs 104-111

13
Risk Assessment Standards

• The risk assessment standards consist of
• SAS No. 104, Amendment to Statement on Auditing
  Standards No. 1
• SAS No. 105, Amendment to Statement on Auditing
  Standards No. 95, Generally Accepted Auditing
  Standards
• SAS No. 106, Audit Evidence
• SAS No. 107, Audit Risk and Materiality in
  Conducting an Audit (Audit Risk and Materiality)
• SAS, No. 108, Planning and Supervision
• SAS No. 109, Understanding the Entity and Its
  Environment and Assessing the Risks of Material
  Misstatement (Assessing Risks)
• SAS No. 110, Performing Audit Procedures in
  Response to Assessed Risks and Evaluating the
  Audit Evidence Obtained (Performing Procedures)
• SAS No. 111, Amendment to Statement on Auditing
  Standards No. 39, Audit Sampling

14
Background

• Objective is to guide auditors to areas of
  greatest risk whether caused by error or fraud
• Issued in March 2006.
• Effective for periods beginning after 12/15/06.

15
Risk Assessment Standards

• Enhances the auditors application of the audit
  risk model in practice by requiring
• More in-depth understanding of the entity and its
  environment, including its internal control
• More rigorous assessment of the risks of material
  misstatement
• Improved linkage between the assessed risks and
  the nature, timing, and extent of audit
  procedures performed

16
Overview of Risk Assessment Process
Gain an understanding of the entity
Perform risk assessment procedures
Assess the risks of material misstatement
Assertion Level
Overall financial statement Level
Further audit procedures
Overall Responses
Evaluate Sufficiency of Audit Evidence
17
QAInternal Control

• QuestionCan I still default to a maximum control
  risk?
• AnswerNo. The standards require that the auditor
  obtain a sufficient understanding of the clients
  internal control to assess control risk.

18
QAInternal Control

• QuestionWhere the auditor anticipates the entity
  may not have effective internal control, and
  therefore intends to design an all substantive
  audit, do the standards require the auditor to
  obtain an understanding of internal control?
• AnswerYes. SAS 109 require auditors to obtain an
  understand of the five components of internal
  control and whether controls have been
  implemented.

19
QAInternal Control

• QuestionThe standards say the auditor should
  test controls when they have an expectation of
  the operating effectiveness of controls. What
  does that phrase mean?
• AnswerIt means the auditors initial assessment
  of control risk is at less than maximum and the
  auditors strategy contemplates a combined
  approach.

20
QAInternal Control

• QuestionCan an auditor design a substantive
  audit approach even if the auditors assessment
  of internal control causes him or her to believe
  that controls are designed effectively?
• AnswerYes, if the auditor believes that the
  costs of testing controls exceeds the benefits of
  testing.

21
QAInternal Control

• QuestionIn smaller entities, the control
  environment might be less formal than larger
  entities. Is the auditor required to obtain an
  understanding of these less formal controls, and
  when do these controls need to be tested?
• AnswerYes, the auditor is required to obtain an
  understanding of the five components of internal
  control. If an auditor intends to rely on the
  control environment, he or she is required to
  test those controls.

22
QAInternal Control

• QuestionIf the auditor decides not to test
  controls, does that mean there is a control
  deficiency that must be evaluated under SAS 112?
• AnswerNot necessarily. It depends on why the
  auditor decides not to test the control. If not
  tested because testing is inefficient, then no.
  If not tested because of poor design, then yes.

23
QAInherent Risk

• Question Inherent risk is the susceptibility of
  a relevant assertion to a misstatement that could
  be material assuming that there are no related
  controls. Can an auditor ignore all controls if
  the auditor assesses inherent risk as low?
• AnswerNo. A low inherent risk does not mean a
  low risk of material misstatement. The auditor is
  required to assess RMM (IR X CR). Be careful as
  to assumed controls.

24
QAUse of Walkthroughs

• QuestionHow often do walkthroughs need to occur?
  
• AnswerAuditors will most likely perform
  walkthroughs annually to document their
  understanding of internal control and to
  establish the continued reliance of audit
  evidence obtained in prior periods.

25
QAUse of Walkthroughs

• QuestionWhen I perform a walkthrough of controls
  with my client, may I suggest client improvements
  in internal control?
• AnswerYes! A byproduct of obtaining an
  understanding of internal control is making
  suggestions for improvement to the client. That
  brings value to the audit process.

26
QAJournal Entries

• QuestionParagraph 52 of SAS No. 110 refers to
  adjustments made during the course of preparing
  the financial statements to address entries
  prepared by the client during the process of
  drafting the financial statements (rather than
  all entries posted in the accounting system at
  year end). Is this correct?
• AnswerYes, this requirement relates to entries
  posted during the financial statement closing
  process. SAS 99 establishes requirements to test
  journal entries during the audit period.

27
Risk Assessment Standards

• Resources available
• Audit Guide Assessing and Responding to Audit
  Risk in a Financial Statement Audit
• Audit Risk Alert Issued in March 2006
• CPE Courses
• Articles in JOA
• Technical Practice Aid

28
Audit and Attest Standards Update

• Proposed Revisions of AT 501
• And SAS 112

29
Proposed Revisions of AT 501

• ASB task force working with bank regulators to
  revise AT 501
• New ED will incorporate elements of PCAOB AS5
• Plan is to expose May 2008 and finalize early
  fall
• Revised AT 501 is expected to be effective for
  years ending on or after December 15, 2008
• Most firms who would use AT 501 will already be
  using AS 5

30
Proposed Revisions of AT 501

• Requires a scope of work similar to PCAOB AS5
  when engaged to examine the design and operating
  effectiveness of internal control over financial
  reporting
• Will contain reporting guidance when scope of
  internal control has been expanded, for example,
  examinations of internal control of insured
  depository institutions subject to internal
  control reporting requirements of FDICIA

31
Proposed Revisions of AT 501

• Like AS 5, an AT 501 examination will be an
  integrated engagement with the audit of the
  financial statements.
• Will only be able to use AT 501 when financial
  statements are also audited
• Examining and reporting on only design
  effectiveness of internal control will be moved
  to AT 101 and then audited financial statements
  are not required.

32
Proposed Revisions of AT 501

• A material weakness is a deficiency, or a
  combination of deficiencies, in internal control,
  such that there is a reasonable possibility that
  a material misstatement of the entitys financial
  statements will not be prevented or detected on a
  timely basis.
• Note There is a reasonable possibility of an
  event, as used in this Statement, when the
  likelihood of the event is either "reasonably
  possible" or "probable," as those terms are used
  in Financial Accounting Standards Board Statement
  No. 5, Accounting for Contingencies

33
Proposed Revisions of AT 501

• A significant deficiency is a deficiency, or a
  combination of deficiencies, in internal control
  that is less severe than a material weakness, yet
  important enough to merit attention by those
  charged with governance.
• ASB will debate whether more specificity will be
  needed since this definition leaves the door
  wide open

34
Proposed Revisions of SAS 112

• Conforming changes will also be made using these
  same definitions.
• Definitional changes will be effective most
  likely in 2009 (early implementation may be
  allowed?)
• Other changes will be made through the clarity
  project

35
Audit and Attest Standards Update

• Other Current ASB Projects

36
Audit and Attest Standards UpdateOther Current
ASB Projects

• Revisions to SAS 74 and other conforming changes
  in response to PCIE report
• Revisions to SAS 70
• Move Service Organization examination to AT
  Standards
• Revisions to auditing estimates and fair value
• Finalize SAS 69 to remove GAAP hierarchy for FASB
  incorporation
• Revise AU 534 Financial Statements Prepared for
  Use in Other Countries if IFRS gets recognized
  as equivalent U.S. GAAP

37
SAS 74 Amendments

• Amend SAS 74 to provide additional auditing
  guidance when an audit of compliance is performed
  in connection with a GAAS and GAGAS audit of
  financial statements (i.e. OMB A-133 Audit).
• A Compliance examination performed when an audit
  is not required, would continue to be performed
  under AT 601

38
TPA Issued on AU 543 Use of Other Auditors

• QuestionCan U.S. auditor divide responsibility
  and refer to other auditors report if other
  audit was conducted in accordance with
  International Standards of Auditing or another
  countrys auditing standards?
• AnswerNo, presumption is that audit of group was
  conducted in accordance with auditing standards
  generally accepted in the U.S.

39
Audit and Attest Standards Update

• Statement Quality Control Standard 7

40
SQCS No. 7

• Issued October 2007
• Effective as of January 1, 2009
• Supersedes all previous SQCSs

41
SQCS No. 7

• The firm must establish a system of quality
  control designed to provide it with reasonable
  assurance that
• The firm and its personnel comply with
  professional standards and applicable regulatory
  and legal requirements, and
• Reports issued are appropriate in the
  circumstances

42
SQCS No. 7

• A system of quality control consists of
• Policies designed to achieve these objectives
  and
• The procedures necessary to implement and monitor
  compliance with those policies.

43
SQCS No. 7

• Documentation and Communication
• Required to document QC policies and procedures.
• Extent based on firm characteristics
• Required to communicate QC policies and
  procedures to personnel.
• More effective if in writing, but not required to
  be.

44
Required Elements of QC System

• Leadership responsibilities for quality within
  the firm (the tone at the top)
• Relevant ethical requirements
• Acceptance and continuance of client
  relationships and specific engagements
• Human resources
• Engagement performance
• Monitoring

45
Tone at the Top

• Objective Promote a quality-oriented internal
  culture
• Requires firms to assign its management
  responsibilities so that commercial
  considerations do not override the quality of
  work performed.
• Address personnel performance evaluation,
  compensation and advancement to demonstrate the
  firms overarching commitment to quality.

46
Relevant Ethical Requirements

• Objective - reasonable assurance that the firm
  and its personnel comply with relevant ethical
  requirements.
• Independence more specific guidance
• Communicate independence requirements to
  personnel
• Identify and evaluate threats
• Annually obtain written confirmation from all
  personnel required to be independent

47
Acceptance and Continuance

• Objective - Firm should undertake or continue
  relationships and engagements only where it
• Has considered the integrity of the client and
  the risks associated with providing professional
  services in the particular circumstances.
• Is competent to perform the engagement and has
  the capabilities and resources to do so.
• Can comply with legal and ethical requirements.
• Has reached an understanding with the client
  regarding the services to be performed.

48
Acceptance and Continuance

• Obtain an understanding with the client regarding
  the services to be performed, preferably in
  writing.
• Establish procedures on withdrawal from an
  engagement or from both the engagement and the
  client relationship
• Document how issues were resolved.

49
Human Resources

• Objective reasonable assurance of sufficient
  personnel with the necessary capabilities,
  competence and commitment to ethical principles

50
Human Resources

• Policies and procedures should address
• Recruitment and hiring, if applicable
• Determining capabilities and competencies
• Assigning personnel to engagements, if
  applicable
• Professional development and
• Performance evaluation, compensation and
  advancement.

51
Engagement Performance

• Objectives - engagements are consistently
  performed in accordance with professional
  standards and regulatory and legal requirements,
  and the firm or the engagement partner issues
  reports that are appropriate in the
  circumstances.

52
Engagement Performance

• Detailed guidance on
• Engagement performance
• Supervision responsibilities
• Review responsibilities
• Engagement documentation
• Consultation policies and procedures
• Resolution of differences of opinions, including
  a requirement that reports not be released until
  the differences of opinions are resolved.

53
Engagement Quality Control Review (EQCR)

• Establish firm criteria for determining whether
  an engagement quality control review should be
  performed
• Evaluate all engagements against the criteria
• Perform an engagement quality control review for
  all engagements that meet the firms criteria,
  and complete the review before the report is
  released.
• Establish procedures addressing the nature,
  timing, extent and documentation of the
  engagement quality control review.

54
EQCR - Procedures

• An objective evaluation of the significant
  judgments made by the engagement team, and the
  conclusions reached in formulating the report.
• Reading the financial statements or other subject
  matter information and the report, and
  consideration of whether the report is
  appropriate.
• Review of selected engagement documentation
  relating to the significant judgments the
  engagement team made and the conclusions they
  reached
• Discussion with the engagement partner regarding
  significant findings and issues.
• Extent depends on the complexity of the
  engagement and the risk that the report might not
  be appropriate in the circumstances.

55
Monitoring

• Objective reasonable assurance that QC policies
  and procedures are
• Relevant
• Adequate
• Operating effectively
• Complied with in practice

56
Monitoring - Requirements

• Ongoing evaluation of appropriateness of design
  and operating effectiveness
• Assign responsibility for the monitoring process
  to a partner.
• Assign performance of the monitoring process to
  competent individuals.
• Perform sufficiently comprehensive procedures.

57
Monitoring

• Monitoring procedures may be accomplished through
  the performance of
• Engagement quality control review
• Post-issuance review of engagement working
  papers, reports, and clients financial
  statements for selected engagements
• Inspection procedures

58
Monitoring

• Self-inspection
• Not prohibited
• Higher risk that noncompliance with policies and
  procedures will not be detected

59
Monitoring - Communication

• To engagement partners and others
• Deficiencies noted as a result of the monitoring
  process
• Recommendations for appropriate remedial action.
• To all relevant personnel
• Monitoring results at least annually.

60
Monitoring

• Procedures to deal appropriately with complaints
  and allegations
• Clear channels for personnel to raise concerns
  without fear of reprisal
• Documentation of complaints and responses

61
Monitoring - Documentation

• Document evidence of the operation of each
  element of its system of quality control.
• Form and content based on firm characteristics
• Retain this documentation for a period of time
  sufficient to permit those performing monitoring
  procedures and peer review to evaluate the firms
  compliance.

62
SQCS No. 7 - Practice Aid

• AICPA Audit and Accounting Practice Aid Series,
• Establishing and Maintaining
• a System of Quality Control for
• a CPA Firms Accounting and Auditing Practice
• Product No. 006636

63
Questions?