Title: Auditing and Attest Standards Update Florida Government Finance Officers Association
1Auditing and Attest Standards UpdateFlorida
Government Finance Officers Association
- May 19, 2008
- Harold L. Monk, Jr. CPA, CFE
2 Session Objectives
- Discuss recent ASB activity and obtain an
understanding of recently issued auditing and
quality control standards. - Discuss other recent audit activities and obtain
an understanding of guidance available to assist
practitioners in improving the effectiveness and
efficiency of their engagements and practices.
3Recent Auditing Standards Board Activities
4Clarity
- Background
- Discussion paper issued March 2007
- ASB considered comments received and approved
direction forward August 2007 - Goals
- Address concerns over length and complexity of
standards - Make standards easier to read, understand and
implement - Will lead to enhancements in audit quality
5Clarity Drafting Conventions
- Introduction
- Objective
- Definitions
- Terms used in the SAS are defined
- Establish separate glossary of terms
- Requirements and Application Material
6Objective
- Create objectives for each standard
- Establish obligation relating to the objective
- Provide a framework for the application of
professional judgment - Outcome based goal
- Difficult to achieve the overall objective of the
audit if individual objectives are not achieved
7Requirements and Application Material
- Application and other explanatory material
presented in a separate section that follows the
requirements - Application and other explanatory material
paragraphs numbered using an A prefix - Cross-referencing between requirements and
related application material
8Other
- Special considerations sections
- for governmental entities
- for smaller, less complex entities
9Clarity and Convergence
- Convergence with ISAs
- Removal of unnecessary differences
- Supplemental materials with EDs
- Exhibit of substantive differences with ISA
- Mapping of the requirements and guidance
contained within extant AU section to the
proposed SAS and - Schedule of proposed changes in requirements and
explanatory material as a result of redrafting. - Schedule of detailed changes in language between
the proposed SAS and the ISA.
10Audit and Attest UpdateClarity Project
- Project will take 2 - 3 years to complete
- During this period, few new standards will be
issued - Only those that are needed to respond to emerging
issues (e.g. SAS 74) - Clarified standards will be exposed over the
next few years and finalized - Target date for final approval June 2010
11Audit and Attest UpdateClarity Project
- Once finalized, theyll be made available to
practitioners. - However, the standards will not become effective
piecemeal. - With limited exceptions, all clarified
standards will become effect at the same time - Most likely 2011
12Audit and Attest Update
- Risk Assessment Standards
- SASs 104-111
13Risk Assessment Standards
- The risk assessment standards consist of
- SAS No. 104, Amendment to Statement on Auditing
Standards No. 1 - SAS No. 105, Amendment to Statement on Auditing
Standards No. 95, Generally Accepted Auditing
Standards - SAS No. 106, Audit Evidence
- SAS No. 107, Audit Risk and Materiality in
Conducting an Audit (Audit Risk and Materiality) - SAS, No. 108, Planning and Supervision
- SAS No. 109, Understanding the Entity and Its
Environment and Assessing the Risks of Material
Misstatement (Assessing Risks) - SAS No. 110, Performing Audit Procedures in
Response to Assessed Risks and Evaluating the
Audit Evidence Obtained (Performing Procedures) - SAS No. 111, Amendment to Statement on Auditing
Standards No. 39, Audit Sampling
14Background
- Objective is to guide auditors to areas of
greatest risk whether caused by error or fraud - Issued in March 2006.
- Effective for periods beginning after 12/15/06.
15Risk Assessment Standards
- Enhances the auditors application of the audit
risk model in practice by requiring - More in-depth understanding of the entity and its
environment, including its internal control - More rigorous assessment of the risks of material
misstatement - Improved linkage between the assessed risks and
the nature, timing, and extent of audit
procedures performed
16Overview of Risk Assessment Process
Gain an understanding of the entity
Perform risk assessment procedures
Assess the risks of material misstatement
Assertion Level
Overall financial statement Level
Further audit procedures
Overall Responses
Evaluate Sufficiency of Audit Evidence
17QAInternal Control
- QuestionCan I still default to a maximum control
risk? - AnswerNo. The standards require that the auditor
obtain a sufficient understanding of the clients
internal control to assess control risk.
18QAInternal Control
- QuestionWhere the auditor anticipates the entity
may not have effective internal control, and
therefore intends to design an all substantive
audit, do the standards require the auditor to
obtain an understanding of internal control? - AnswerYes. SAS 109 require auditors to obtain an
understand of the five components of internal
control and whether controls have been
implemented.
19QAInternal Control
- QuestionThe standards say the auditor should
test controls when they have an expectation of
the operating effectiveness of controls. What
does that phrase mean? - AnswerIt means the auditors initial assessment
of control risk is at less than maximum and the
auditors strategy contemplates a combined
approach.
20QAInternal Control
- QuestionCan an auditor design a substantive
audit approach even if the auditors assessment
of internal control causes him or her to believe
that controls are designed effectively? - AnswerYes, if the auditor believes that the
costs of testing controls exceeds the benefits of
testing.
21QAInternal Control
- QuestionIn smaller entities, the control
environment might be less formal than larger
entities. Is the auditor required to obtain an
understanding of these less formal controls, and
when do these controls need to be tested? - AnswerYes, the auditor is required to obtain an
understanding of the five components of internal
control. If an auditor intends to rely on the
control environment, he or she is required to
test those controls.
22QAInternal Control
- QuestionIf the auditor decides not to test
controls, does that mean there is a control
deficiency that must be evaluated under SAS 112? - AnswerNot necessarily. It depends on why the
auditor decides not to test the control. If not
tested because testing is inefficient, then no.
If not tested because of poor design, then yes.
23QAInherent Risk
- Question Inherent risk is the susceptibility of
a relevant assertion to a misstatement that could
be material assuming that there are no related
controls. Can an auditor ignore all controls if
the auditor assesses inherent risk as low? - AnswerNo. A low inherent risk does not mean a
low risk of material misstatement. The auditor is
required to assess RMM (IR X CR). Be careful as
to assumed controls.
24QAUse of Walkthroughs
- QuestionHow often do walkthroughs need to occur?
- AnswerAuditors will most likely perform
walkthroughs annually to document their
understanding of internal control and to
establish the continued reliance of audit
evidence obtained in prior periods.
25QAUse of Walkthroughs
- QuestionWhen I perform a walkthrough of controls
with my client, may I suggest client improvements
in internal control? - AnswerYes! A byproduct of obtaining an
understanding of internal control is making
suggestions for improvement to the client. That
brings value to the audit process.
26QAJournal Entries
- QuestionParagraph 52 of SAS No. 110 refers to
adjustments made during the course of preparing
the financial statements to address entries
prepared by the client during the process of
drafting the financial statements (rather than
all entries posted in the accounting system at
year end). Is this correct? - AnswerYes, this requirement relates to entries
posted during the financial statement closing
process. SAS 99 establishes requirements to test
journal entries during the audit period.
27Risk Assessment Standards
- Resources available
- Audit Guide Assessing and Responding to Audit
Risk in a Financial Statement Audit - Audit Risk Alert Issued in March 2006
- CPE Courses
- Articles in JOA
- Technical Practice Aid
28Audit and Attest Standards Update
- Proposed Revisions of AT 501
- And SAS 112
29Proposed Revisions of AT 501
- ASB task force working with bank regulators to
revise AT 501 - New ED will incorporate elements of PCAOB AS5
- Plan is to expose May 2008 and finalize early
fall - Revised AT 501 is expected to be effective for
years ending on or after December 15, 2008 - Most firms who would use AT 501 will already be
using AS 5
30Proposed Revisions of AT 501
- Requires a scope of work similar to PCAOB AS5
when engaged to examine the design and operating
effectiveness of internal control over financial
reporting - Will contain reporting guidance when scope of
internal control has been expanded, for example,
examinations of internal control of insured
depository institutions subject to internal
control reporting requirements of FDICIA
31Proposed Revisions of AT 501
- Like AS 5, an AT 501 examination will be an
integrated engagement with the audit of the
financial statements. - Will only be able to use AT 501 when financial
statements are also audited - Examining and reporting on only design
effectiveness of internal control will be moved
to AT 101 and then audited financial statements
are not required.
32Proposed Revisions of AT 501
- A material weakness is a deficiency, or a
combination of deficiencies, in internal control,
such that there is a reasonable possibility that
a material misstatement of the entitys financial
statements will not be prevented or detected on a
timely basis. - Note There is a reasonable possibility of an
event, as used in this Statement, when the
likelihood of the event is either "reasonably
possible" or "probable," as those terms are used
in Financial Accounting Standards Board Statement
No. 5, Accounting for Contingencies
33Proposed Revisions of AT 501
- A significant deficiency is a deficiency, or a
combination of deficiencies, in internal control
that is less severe than a material weakness, yet
important enough to merit attention by those
charged with governance. - ASB will debate whether more specificity will be
needed since this definition leaves the door
wide open
34Proposed Revisions of SAS 112
- Conforming changes will also be made using these
same definitions. - Definitional changes will be effective most
likely in 2009 (early implementation may be
allowed?) - Other changes will be made through the clarity
project
35Audit and Attest Standards Update
- Other Current ASB Projects
36Audit and Attest Standards UpdateOther Current
ASB Projects
- Revisions to SAS 74 and other conforming changes
in response to PCIE report - Revisions to SAS 70
- Move Service Organization examination to AT
Standards - Revisions to auditing estimates and fair value
- Finalize SAS 69 to remove GAAP hierarchy for FASB
incorporation - Revise AU 534 Financial Statements Prepared for
Use in Other Countries if IFRS gets recognized
as equivalent U.S. GAAP
37SAS 74 Amendments
- Amend SAS 74 to provide additional auditing
guidance when an audit of compliance is performed
in connection with a GAAS and GAGAS audit of
financial statements (i.e. OMB A-133 Audit). - A Compliance examination performed when an audit
is not required, would continue to be performed
under AT 601 -
38TPA Issued on AU 543 Use of Other Auditors
- QuestionCan U.S. auditor divide responsibility
and refer to other auditors report if other
audit was conducted in accordance with
International Standards of Auditing or another
countrys auditing standards? - AnswerNo, presumption is that audit of group was
conducted in accordance with auditing standards
generally accepted in the U.S.
39Audit and Attest Standards Update
- Statement Quality Control Standard 7
40SQCS No. 7
- Issued October 2007
- Effective as of January 1, 2009
- Supersedes all previous SQCSs
41SQCS No. 7
- The firm must establish a system of quality
control designed to provide it with reasonable
assurance that - The firm and its personnel comply with
professional standards and applicable regulatory
and legal requirements, and - Reports issued are appropriate in the
circumstances
42SQCS No. 7
- A system of quality control consists of
- Policies designed to achieve these objectives
and - The procedures necessary to implement and monitor
compliance with those policies.
43SQCS No. 7
- Documentation and Communication
- Required to document QC policies and procedures.
- Extent based on firm characteristics
- Required to communicate QC policies and
procedures to personnel. - More effective if in writing, but not required to
be.
44Required Elements of QC System
- Leadership responsibilities for quality within
the firm (the tone at the top) - Relevant ethical requirements
- Acceptance and continuance of client
relationships and specific engagements - Human resources
- Engagement performance
- Monitoring
45Tone at the Top
- Objective Promote a quality-oriented internal
culture - Requires firms to assign its management
responsibilities so that commercial
considerations do not override the quality of
work performed. - Address personnel performance evaluation,
compensation and advancement to demonstrate the
firms overarching commitment to quality.
46Relevant Ethical Requirements
- Objective - reasonable assurance that the firm
and its personnel comply with relevant ethical
requirements. - Independence more specific guidance
- Communicate independence requirements to
personnel - Identify and evaluate threats
- Annually obtain written confirmation from all
personnel required to be independent
47Acceptance and Continuance
- Objective - Firm should undertake or continue
relationships and engagements only where it - Has considered the integrity of the client and
the risks associated with providing professional
services in the particular circumstances. - Is competent to perform the engagement and has
the capabilities and resources to do so. - Can comply with legal and ethical requirements.
- Has reached an understanding with the client
regarding the services to be performed.
48Acceptance and Continuance
- Obtain an understanding with the client regarding
the services to be performed, preferably in
writing. - Establish procedures on withdrawal from an
engagement or from both the engagement and the
client relationship - Document how issues were resolved.
49Human Resources
- Objective reasonable assurance of sufficient
personnel with the necessary capabilities,
competence and commitment to ethical principles
50Human Resources
- Policies and procedures should address
- Recruitment and hiring, if applicable
- Determining capabilities and competencies
- Assigning personnel to engagements, if
applicable - Professional development and
- Performance evaluation, compensation and
advancement.
51Engagement Performance
- Objectives - engagements are consistently
performed in accordance with professional
standards and regulatory and legal requirements,
and the firm or the engagement partner issues
reports that are appropriate in the
circumstances.
52Engagement Performance
- Detailed guidance on
- Engagement performance
- Supervision responsibilities
- Review responsibilities
- Engagement documentation
- Consultation policies and procedures
- Resolution of differences of opinions, including
a requirement that reports not be released until
the differences of opinions are resolved.
53Engagement Quality Control Review (EQCR)
- Establish firm criteria for determining whether
an engagement quality control review should be
performed - Evaluate all engagements against the criteria
- Perform an engagement quality control review for
all engagements that meet the firms criteria,
and complete the review before the report is
released. - Establish procedures addressing the nature,
timing, extent and documentation of the
engagement quality control review.
54EQCR - Procedures
- An objective evaluation of the significant
judgments made by the engagement team, and the
conclusions reached in formulating the report. - Reading the financial statements or other subject
matter information and the report, and
consideration of whether the report is
appropriate. - Review of selected engagement documentation
relating to the significant judgments the
engagement team made and the conclusions they
reached - Discussion with the engagement partner regarding
significant findings and issues. - Extent depends on the complexity of the
engagement and the risk that the report might not
be appropriate in the circumstances.
55Monitoring
- Objective reasonable assurance that QC policies
and procedures are - Relevant
- Adequate
- Operating effectively
- Complied with in practice
56Monitoring - Requirements
- Ongoing evaluation of appropriateness of design
and operating effectiveness - Assign responsibility for the monitoring process
to a partner. - Assign performance of the monitoring process to
competent individuals. - Perform sufficiently comprehensive procedures.
57Monitoring
- Monitoring procedures may be accomplished through
the performance of - Engagement quality control review
- Post-issuance review of engagement working
papers, reports, and clients financial
statements for selected engagements - Inspection procedures
58Monitoring
- Self-inspection
- Not prohibited
- Higher risk that noncompliance with policies and
procedures will not be detected
59Monitoring - Communication
- To engagement partners and others
- Deficiencies noted as a result of the monitoring
process - Recommendations for appropriate remedial action.
- To all relevant personnel
- Monitoring results at least annually.
60Monitoring
- Procedures to deal appropriately with complaints
and allegations - Clear channels for personnel to raise concerns
without fear of reprisal - Documentation of complaints and responses
61Monitoring - Documentation
- Document evidence of the operation of each
element of its system of quality control. - Form and content based on firm characteristics
- Retain this documentation for a period of time
sufficient to permit those performing monitoring
procedures and peer review to evaluate the firms
compliance.
62SQCS No. 7 - Practice Aid
- AICPA Audit and Accounting Practice Aid Series,
- Establishing and Maintaining
- a System of Quality Control for
- a CPA Firms Accounting and Auditing Practice
- Product No. 006636
63Questions?