AICPA and Government Auditing Standards Update

1
AICPA and Government Auditing Standards Update
Alyson Silva Audit Senior Manager, West Palm Beach
2
AICPA Auditing Standards Update
3
Objectives

• Review recently issued generally accepted
  auditing standards
• Impact of standards on auditors and auditees

4
Overview

• The American Institute of Certified Public
  Accountants (AICPA) issues pronouncements on
  professional standards including U.S. Auditing
  Standards
• Auditing Standards Board (ASB), a senior
  technical body of the AICPA designated to develop
  and issue pronouncements on auditing matters
• ASB issues standards in the form of Statements on
  Auditing Standards (SASs), after open public
  meetings, exposure drafts and a formal vote
• During the period December 2005-December 2006, 13
  SASs have been issued

5
Recently Issued SASs

• No. 102 Defining Professional Requirements in
  Statements on Auditing Standards
• No. 103 Audit Documentation
• Nos. 104-111 Audit Risk Assessment Suite of
  Standards
• No. 112 Communicating Internal Control Related
  Matters Identified in an Audit
• No. 113 Omnibus - 2006
• No. 114 The Auditors Communication with Those
  Charged with Governance

6
SAS No. 102 Defining Professional Requirements in
Statements on Auditing Standards

• This Statement defines the terms used by the ASB
  in describing the degree of responsibility
  professional requirements imposed on auditors
• Unconditional Requirements the auditor must
  comply in all cases where its applicable. The
  words must or is required is used by the ASB
• Presumptively Mandatory Requirements the
  auditor is required to comply in all cases,
  unless a rare circumstance exists where there is
  justification for departure. The word should
  is used by the ASB
• The definitions are consistent with terms used by
  the Public Company Accounting Oversight Board
  (PCAOB)

7
SAS No. 103 Audit Documentation

• The ASB considered what is being required by
  PCAOB and Government Auditing Standards and
  updated generally accepted auditing standards
  with this Statement. Among other things, the SAS
  requires
• The auditor assembles the audit files to a final
  form within 60 days of releasing the report.
  After this date, the auditor cannot delete or
  discard existing audit documentation and must
  document any subsequent additions
• A minimum file retention period of 5 years from
  date of report release
• The audit report is dated no earlier than the
  date on which you have gathered enough evidence
  that the financial statements are fairly
  presented. Evidence includes both the
  preparation of, and managements review,
  evaluation, and acceptance of responsibility for,
  the financial statements

8
SAS Nos. 104-111 Audit Risk Assessment Suite of
Standards

• SAS No. 104, Amendment to Statement on Auditing
  Standards No. 1, Codification of Auditing
  Standards and Procedures
• SAS No. 105, Amendment to Statement on Auditing
  Standards No. 95, Generally Accepted Auditing
  Standards
• SAS No. 106, Audit Evidence
• SAS No. 107, Audit Risk and Materiality in
  Conducting an Audit
• SAS No. 108, Planning and Supervision
• SAS No. 109, Understanding the Entity and Its
  Environment and Assessing the Risks of Material
  Misstatement
• SAS No. 110, Performing Audit Procedures in
  Response to Assessed Risks and Evaluating the
  Audit Evidence Obtained
• SAS No. 111, Amendment to Statement on Auditing
  Standards No. 39, Audit Sampling

9
SAS Nos. 104-111 Audit Risk Assessment Suite of
Standards
The objective of the SASs is to improve audit
effectiveness by requiring

• A more in-depth understanding of the entity and
  its environment, including its internal control
• More rigorous assessment of the risks of material
  misstatement (whether caused by error or fraud)
  of the financial statements
• A linkage between the assessed risks and the
  nature, timing, and extent of audit procedures
  performed in response to those risks

10
SAS No. 112 Communicating Internal Control
Related Matters Identified in an Audit

• Overview
• Effective for audits of financial statements for
  periods ending on or after December 15, 2006
• Requires auditor to communicate significant
  deficiencies or material weaknesses in internal
  control

11
Overview (continued)

• Provides guidance on evaluating the severity of
  deficiencies
• Requires the communication to be in writing and
  be made no later than 60 days following the audit
  report release date
• The definitions now used for control deficiencies
  are consistent with PCAOB
• The term reportable condition is no longer used

12
Old Definitions Reportable Conditions

• Involve matters coming to the auditors attention
  relating to significant deficiencies in the
  design or operation of the internal control that,
  in our judgment, could adversely affect the
  organizations ability to initiate, record,
  process and report financial data consistent with
  the assertions of management in the financial
  statements

13
Old Definitions Material Weaknesses

• A material weakness is a reportable condition in
  which the design or operation of one or more of
  the internal control components does not reduce
  to a relatively low level the risk that
  misstatements caused by error or fraud in amounts
  that would be material in relation to the
  financial statements being audited may occur and
  not be detected within a timely period by
  employees in the normal course of performing
  their assigned functions

14
Old Versus New
15
New Definitions

• Control deficiency
• Design or operation of a control that does not
  prevent or detect misstatements
• Significant deficiency
• Control deficiency(ies) that adversely affects
  the entitys ability to initiate, authorize,
  record, process, or report financial data
  reliably in accordance with GAAP
• There is more than a remote likelihood that a
  misstatement in the financial statements that is
  more than inconsequential will not be prevented
  or detected

16
New Definitions (continued)

• Material weakness
• Significant deficiency(ies) that results in more
  than a remote likelihood that a material
  misstatement of the financial statements will not
  be prevented or detected

17
Evaluating Control Deficiencies

• Likelihood
• More than remote is when it is at least
  reasonably possible
• Remote likelihood has the same meaning as in FASB
  Statement No. 5
• Magnitude
• Inconsequential if a reasonable person would
  conclude, after considering the possibility of
  further undetected misstatements, that the
  misstatement, either individually or in the
  aggregate, would be immaterial to the financial
  statements
• The significance depends on the potential for a
  misstatement, not an actual misstatement
• The absence of an actual identified misstatement
  does not provide evidence that a deficiency is
  not significant or material

18
EvaluatingFactors Affecting Likelihood

• Nature of accounts, disclosures, and assertions
• Susceptibility of related assets to loss or
  fraud
• Subjectivity and complexity, the extent of
  judgment needed to determine that amount
• Cause and frequency of detected exceptions

19
EvaluatingFactors Affecting Magnitude

• Financial statement amounts or total transactions
  exposed
• Volume of activity in account balance or class of
  transactions affecting current or future periods

20
EvaluatingOther Considerations

• Multiple control deficiencies that affect the
  same financial statement account balance or
  disclosure may increase the likelihood that, in
  combination, there is a significant deficiency or
  material weakness
• Mitigating effects of compensating controls.
  Compensating controls do not eliminate a control
  deficiency
• Results of tests of controls

21
ExamplesDeficiencies That Are at Least
Significant

• Deficiencies in controls over
• Selection and application of GAAP having
  sufficient expertise is an aspect
• Period-end financial reporting process

22
ExamplesStrong Indicators of Material Weaknesses

• Ineffective oversight by those charged with
  governance (Board, Audit Committee, Finance
  Committee)
• Restatement of previously issued financial
  statements
• Material misstatement identified by the auditor,
  that was not initially identified by the entitys
  internal control

23
ExamplesStrong Indicators of Material Weaknesses
(continued)

• Ineffective internal audit or risk assessment
  functions
• Any fraud by senior management

24
Communicating Deficiencies

• Significant deficiencies or material weaknesses
  must be communicated in writing to management and
  those charged with governance
• Managements cost-benefit decisions does not
  relieve auditor responsibility
• Permits other matters to be communicated
• Auditor to disclaim opinion on written responses
• Timing of communications

25
Concerns/Issues

• Auditors
• When to begin writing process
• Allocating time for audit and writing
• May need to gather more information to make the
  SAS No. 112 determinations
• Applying more than inconsequential and
  reasonable person
• Getting auditee responses
• Management
• Understanding the new definitions and impact on
  internal control report and management letter
• Educating governing bodies

26
SAS 114, The Auditors Communication with those
Charged with Governance

• Matters to be communicated with those charged
  with Governance
• The auditors responsibilities under generally
  accepted accounting standards (paragraphs 26-28)
• An overview of the planned scope and timing of
  the audit (paragraphs 29-33)
• Significant findings from the audit (paragraphs
  34-44)

27
Governance

• The person or persons with responsibility for
  overseeing the strategic direction of the entity
  and obligations related to the accountability of
  the entity. This would include the person
  overseeing the financial reporting process. In
  some, but not all cases, the person(s) charged
  with governance are responsible for approving the
  entitys financial statements
• In most entities, governance is the collective
  responsibility of a governing body such as a
  board of directors, a supervisory board,
  partners, proprietors, a committee of management,
  trustees, or equivalent persons
• In some smaller entities, one person may be
  charged with governance, such as the
  owner-manager where there are no other owners, or
  a sole trustee
• When governance is a collective responsibility, a
  subgroup, such as an audit committee or even an
  individual, may be charged with specific tasks to
  assist the governing body in meeting its
  responsibilities

28
Governance (continued)

• When communicating with a subgroup of those
  charged with governance, the following should be
  considered
• The respective responsibilities of the subgroup
  and the governing body
• The nature of the matter to be communicated
• Relevant legal or regulatory requirements
• Whether the subgroup has (a) the authority to
  take action in relation to the information
  communicated and (b) can provide further
  information and explanations
• Whether there are potential conflicts of interest
  between the subgroup and the other members of the
  governing body
• Whether there is a need to communicate the
  information in full or in summary form to the
  governing body. Auditor ALWAYS retains the right
  to communicate with the governing body.

29
Governance (continued)

• In some instances, all of those charged with
  governance are involved in managing the entity.
  In these situations, auditors should consider
  whether communications with the person(s)
  involved with the financial reporting
  responsibilities adequately informs all of those
  with whom they should communicate such matters.

30
Auditors Responsibility Under GAAS

• Auditors should communicate their responsibility
  under GAAS, including
• The financial statements are the responsibility
  of management
• The audit does not relieve management or those
  charged with governance of their responsibilities
• Auditors are responsible for forming and
  expressing an opinion about whether the financial
  statements prepared by management with the
  oversight of those charged with governance, are
  presented fairly, in all material respects, in
  conformity with generally accepted accounting
  principles
• These responsibilities may be communicated
  through the engagement letter

31
Auditors Responsibility Under GAAS (continued)

• Auditors may also communicate
• Our audit was designed in accordance with
  auditing standards generally accepted in the
  United States to provide reasonable, rather than
  absolute, assurance that the financial statements
  are free of material misstatement
• As a part of our audit, we obtained an
  understanding of internal control sufficient to
  plan our audit and to determine the nature,
  timing, and extent of testing performed. However,
  we were not engaged to and we did not perform an
  audit of internal control over financial
  reporting.
• As part of our audit, we are responsible for
  communicating significant matters that are in our
  judgment, relevant to the responsibilities of
  those charged with governance in overseeing the
  financial reporting process. Generally accepted
  auditing standards do not require us to design
  our procedures for the purpose of identifying
  other matters to communicate to those charged
  with governance.

32
An Overview of Planned Scope and Timing

• There is a need to have a planning meeting with
  those charged with Governance
• Should be cautious not to compromise the
  effectiveness of the audit, particularly when
  some or all of those charged with governance are
  involved in managing the entity
• Matters communicated may include
• Significant risks of material misstatement,
  whether by error or fraud as well as the planned
  procedures to address these risks
• The approach to internal control and whether an
  opinion on the effectiveness of internal control
  over financial reporting will be issued
• The concept of materiality in planning and
  executing the audit, focusing on factors
  considered and not specific thresholds or amounts
• Whether the entity has an internal audit function
  and the extent of planned reliance, if any

33
An Overview of Planned Scope and Timing

• Other planning matters that could be discussed
  are
• Attitudes, awareness and actions of those charged
  with governance concerning
• Entitys internal control and its importance
• How those charged with governance oversee the
  effectiveness of internal control
• Detection and risk of fraud
• Actions taken in response to developments in
• Financial reporting
• Laws
• Accounting standards
• Corporate governance practices
• Actions taken in response to previous
  communications
• Appropriate personnel with which to communicate
• Business risks that could result in material
  misstatements (Significant Risks)
• Communications with regulators

34
Significant Audit Findings

• No significant changes in what auditors are
  required to communicate
• Should be communicated in writing when in the
  auditors judgment oral communication is not
  adequate
• If significant findings are communicated orally,
  the auditor is required to document the
  significant findings discussed, and when and with
  whom the discussions took place consistent with
  SAS 103
• Should communicate
• Views on qualitative aspects of significant
  accounting practices including
• Accounting Policies
• Accounting Estimates
• Financial Statement Disclosures
• Significant difficulties encountered during the
  audit
• Uncorrected misstatements
• Disagreements with management
• Other significant findings

35
Significant Audit Findings

• Should communicate (unless all of those charged
  with governance are management)
• Material recorded adjustments
• Representations requested from management
• Managements consultations with other accountants,
  if any
• Other material written communications with
  management

36
Adequacy of Communications

• Auditors are required to evaluate whether the
  communication between those charged with
  governance and management is adequate for the
  purpose of their audit
• Should consider SAS 109 and the participation of
  those charged with governance with internal audit
  and external auditors as an element of the
  entitys internal control
• If communication is considered to be inadequate,
  the auditor should consider the effects if any of
  their assessment of significant risks

37
Statements Unaffected by SAS 114

• Responsibility to report illegal acts. (SAS 54
  paragraph 17)
• Responsibility to report on items where the
  entity is subject to an audit requirement that is
  not encompassed in the terms of the engagement
  and thus the audit may not satisfy legal,
  regulatory or contractual requirements. (SAS 74
  paragraph 22)
• Responsibility to inquire of the audit committee
  (or at least the chair of the audit committee)
  regarding the committees views on the risks of
  fraud and whether the committee has knowledge of
  any fraud or suspected fraud. (SAS 99 paragraph
  22)
• Responsibility to communicate fraud involving
  senior management and any fraud that causes a
  material misstatement of the financial
  statements. (SAS 99 paragraph 79)
• Responsibility to communicate in writing any
  control deficiencies that are considered
  significant deficiencies or material weaknesses.
  (SAS 112 paragraph 20)

38
Questions?
39
2007 Revision to Government Auditing Standards
(GAS) and Changes Due to Adoption of SAS 112
40
Objectives

• Highlight major revisions in the January 2007
  Revision to GAS
• Discuss the reasons for the changes and what
  these changes mean to you
• Discuss the revisions to quality control and peer
  review standards included in July 2007 Revision
• Discuss effective dates
• SAS 112 adoption effective for years ending on or
  after December 15, 2006!
• Other SAS updates apply as well be aware
  (e.g., SAS 103)

41
2007 Revision

• 2007 revision supersedes the 2003 revision
• January 2007 revision issued late January
• Contained final 2007 revision except for quality
  control and peer review sections
• At same time issued exposure draft requesting
  comments on redrafted sections on quality control
  and peer review
• Comments were due March 30, 2007
• July 2007 revision issued late July
• Contains the January 2007 revision plus updated
  quality control and peer review sections
• Represents the completed 2007 revision and is the
  version that should be used by government
  auditors until further updates and revisions are
  made

42
Chapter 1 Use and Applicability of GAS

• Reinforced the key role of auditing in
  maintaining accountability and improving
  government operations
• Clarified the standards through standardized
  language to define the auditors level of
  responsibility and distinguish between
  requirements and additional guidance
• Added guidance on citing compliance with GAS in
  the Auditors report
• Clarified and expanded the standards to recognize
  other sets of standards that can be used in
  conjunction with GAS
• Retained the same types of governmental audits
  and attestation engagements, but updated and
  expanded the definitions and descriptions of
  performance audits and attestation engagements

43
Chapter 2 Ethical Principles in Government
Auditing

• Heightened emphasis on ethical principles
• Five principles
• Public interest
• Integrity
• Objectivity
• Proper use of government information, resources
  and position
• Professional behavior

44
Chapter 3 General Standards

• Clarified and streamlined the discussion of the
  impact of professional services other than audit
  services (nonaudit services) in their impact on
  auditor independence
• Stressed the role of professional judgment and
  competence in complying with GAS
• Updated CPE requirements to incorporate April
  2005 changes
• Enhanced and clarified the requirements for an
  audit organizations system of quality control by
  specifying the elements of quality that an
  organizations policies and procedures
  collectively address
• Added a requirement that external audit
  organizations make their most recent peer review
  report publicly available

45
Chapter 3 General StandardsNon-Audit Services

• Moved non-audit services from personal
  impairments to organizational impairments
• Created three distinct categories of non-audit
  services, and consolidated and streamlined the
  examples previously interspersed throughout the
  independence section
• Non-audit services that do not impair
  independence
• Non-audit services that would not impair
  independence if the supplemental safeguards are
  complied with
• Non-audit services that impair independence
• Bottom line-no substantive changes to
  independence standards
• GAO will work on updating Independence Standard Q
  and As next

46
Chapter 3 General StandardsIndependence

• Streamlined requirements for auditors regarding
  independence when using the work of a specialist
• Added that an externally imposed restriction on
  access to records, government officials, or other
  individuals needed to conduct the audit may
  impair external independence
• Added steps that audit organizations should take
  if an impairment to independence is identified
  after the audit report is issued

47
Chapter 3 General StandardsContinuing
Professional Education (CPE)

• Updated the CPE requirements to incorporate
  partial exemption from 80 hour CPE requirements
  for certain auditors that had been separately
  issued in April 2005
• Clarified CPE requirements to include internal
  specialists who are part of the audit
  organization and part of the team
• They are subject to GAS CPE requirements
• Bottom line-no substantive changes to the CPE
  requirements

48
Chapter 3 General StandardsAudit Quality
Control and Assurance

• Clarified that an audit organizations
• noncompliance with peer review results in a
  modified GAS statement
• noncompliance with the requirements for a system
  of quality control does not impact the GAS
  statement but is monitored through peer review
• system of quality control also provides
  reasonable assurance that the organization and
  its personnel comply with professional standards
  and applicable legal and regulatory requirements

49
Chapter 3 General Standards- Audit Quality
Control and Assurance (continued)

• Added a requirement that the quality control
  policies and procedures collectively address
• Leadership responsibilities within the audit
  organization
• Independence, legal, and ethical requirements
• Initiation, acceptance, and continuance of audit
  and attestation engagements
• Human resources
• Audit and attestation engagement performance,
  documentation, and reporting
• Monitoring of quality

50
Chapter 3 General Standards- Audit Quality
Control and Assurance (continued)

• Increased transparency regarding the
  effectiveness of QC systems by requiring external
  peer review reports be made public
• Does not include letter of comment
• Can be done by posting peer review opinion to an
  external web site or publicly available file
  designed for public transparency of peer review
  results
• Internal audit organizations should provide copy
  to those charged with governance
• Government audit organizations should also
  transmit their external peer review reports to
  appropriate oversight bodies
• If peer review opinion is adverse and related to
  or impact audits performed under GAS
• Each GAS report should disclose the peer review
  results until such time as the adverse opinion is
  replaced by an unqualified or qualified opinion

51
Chapter 3 General Standards- Audit Quality
Control and Assurance (continued)

• Those audit organizations seeking to enter into a
  contract to perform a GAS audit or attestation
  engagement should provide the following to the
  party contracting for such services
• The audit organizations most recent peer review
  report and any letter of comment
• Any subsequent peer review reports and letters of
  comment received during the contract period
• No change to provisions currently in effect
• Auditors who are using another audit
  organizations work should request the audit
  organizations latest peer review report and any
  letter of comment

52
All Types of GAS Auditsand Attestation
Engagements

• Defined those charged with governance
• Added a requirement for controls over
  electronically maintained audit documentation
• Clarified and streamlined
• Developing elements of a finding
• Reporting confidential or sensitive information
• Reporting views of responsible officials
• Issuing and distributing reports

53
All Types of GAS AuditsRole of Those Charged
with Governance

• Have the duty to oversee the strategic direction
  and obligations related to the accountability of
  the entity
• Because may be unclear who is charged with
  governance functions, auditors evaluate
  organizational structure for directing and
  controlling operations to achieve the entitys
  objectives
• Evaluation includes
• How the entity delegates authority
• How the entity establishes accountability for
  management personnel
• If not clear who is those charged with
  governance, the auditor should
• Document the process followed
• Document conclusions reached for the appropriate
  individuals to receive the auditors
  communications

54
All Types of GAS AuditsControls Over Electronic
Audit Evidence

• Whether audit documentation is in paper,
  electronic, or other media
• The integrity, accessibility, and retrievability
  of the underlying information could be
  compromised if
• Documentation is altered, added to, or deleted
  without auditors knowledge
• Documentation is lost or damaged
• For documentation retained electronically, audit
  organizations should establish IS controls
  concerning accessing and updating the audit
  documentation

55
All Types of GAS AuditsDeveloping Elements of a
Finding

• Elements needed depend on the objectives of the
  audit
• Finding is complete to the extent the audit
  objectives are satisfied
• Auditor should plan and perform procedures to
  develop the elements of a finding that are
  relevant
• Criteria
• Condition
• Cause
• Effect or potential effect

56
All Types of GAS Audits - Reporting Confidential
and Sensitive Information

• If information is excluded from the auditors
  report, auditors
• Should disclose that certain information has been
  omitted and reason for the omission
• May issue a separate report and distribute it to
  only persons authorized to receive it
• If subject to public records laws, auditors
  should
• Determine the impact of such laws on the
  availability of the separate report
• Determine whether other means of communicating
  would be more appropriate

57
All Types of GAS AuditsReporting Views of
Responsible Officials

• All performance audit reports and in financial
  audit reports that disclose deficiencies in
  internal control, fraud, illegal acts, violations
  of provisions of contacts or grant agreements, or
  abuse, auditors should
• Obtain and report views of responsible officials
  concerning
• Findings, conclusions, and recommendations
• Planned corrective actions
• Include in report an evaluation of the comments,
  as appropriate
• If the audited entity does not provide comments,
  auditors may issue report
• Indicate that the audited entity did not provide
  comments

58
All Types of GAS Audits Distributing reports

• Distribution of reports depends on
• The relationship of the auditors to the audited
  organization
• The nature of the information contained in the
  report
• Different requirements for
• Government audit organizations (external)
• Internal audit organizations in government
• Public accounting firms

59
Changes Related to Internal Auditors

• Encouraged internal auditors to use IIA standards
  in conjunction with GAS
• Clarified that the nonaudit service of carrying
  out internal audit functions applies to external
  auditors
• Modernized the criteria for organizational
  independence for internal audit functions
• Reporting audit results to those charged with
  governance
• Access to those charged with governance
• Sufficiently removed from political pressures
• Emphasized the importance of internal audit as
  part of the overall governance, accountability,
  and internal control
• Clarified that internal auditors may follow IIA
  standards to communicate results of the audit to
  parties who can ensure that the results are given
  due consideration

60
Chapter 4 Field Work Standards for Financial
Audits

• Added the definition of reasonable assurance for
  financial audits
• Updated communications during planning
• Understanding of the services to be performed
• Communication is required to be written
• To both management and those charged with
  governance
• Clarified and streamlined the auditors
  responsibilities for provisions of contracts or
  grant agreements
• Added a clear and prominent discussion on
  consideration of fraud and illegal acts
• Clarified and streamlined the auditors
  responsibilities in field work for abuse
• Updated GAGAS based on recent developments in
  financial auditing and internal control (AICPA
  SASs)

61
Chapter 4 Field Work Standards for Financial
Audits-Provisions of Contracts or Grant
Agreements

• Auditors should design the audit to provide
  reasonable assurance of detecting misstatements
  that result from violations of provisions of
  contracts or grant agreements that could have a
  direct and material effect on financial statement
  amounts or other financial data significant to
  the audit objectives
• When auditors conclude that a violation of
  provisions of contracts or grant agreements has
  or is likely to have occurred, they should
  determine the effect on the financial statements
  as well as implications for other aspects of the
  audit

62
Chapter 4 Field Work Standards for Financial
Audits-Fraud and Illegal Acts

• Clarifies the existing standard but does not
  change auditors responsibilities
• Under both AICPA and GAS auditors are to
• Plan and perform the audit to obtain reasonable
  assurance about whether the financial statements
  are free of material misstatement, whether caused
  by error or fraud
• Design the audit to provide reasonable assurance
  of detecting material misstatements that could
  have a direct and material effect on the
  financial statements

63
Chapter 4 Field Work Standards for Financial
Audits-Abuse

• If auditors become aware of indications of abuse
  that could be material, they should apply audit
  procedures specifically to ascertain
• whether material abuse has occurred and
• the potential effect on the financial statements
• However, because the determination of abuse is
  subjective, auditors are not required to provide
  reasonable assurance of detecting abuse
• After performing additional work, auditors may
  discover that the abuse represents potential
  fraud or illegal acts

64
Chapter 4 Field Work Standards for Financial
Audits-Audit Documentation

• Updated GAS to achieve consistency with AICPA SAS
  No. 103 on Audit Documentation
• AICPA audit documentation standards are now more
  closely aligned with GAS
• Since SAS 103 is effective for years ending on or
  after December 15, 2006 the audit documentation
  standards of GAS are effective for these year ends

65
Chapter 4 Field Work Standards for Financial
Audits-Audit Documentation-Summary

• We should prepare audit documentation that
  enables an experienced auditor, having no
  previous connection with the audit to understand
• Nature, timing and extent of procedures performed
• The results of the procedures performed and
  evidence obtained
• How the audit evidence relates to the audit
  conclusions
• The conclusions reached on significant matters

66
Chapter 5 Reporting Standards for Financial
Audits

• Updated reporting requirements for internal
  control deficiencies based on SAS No. 112
• Encouraged communicating in the auditors reports
  significant concerns, uncertainties or other
  unusual events that could have a significant
  impact on the financial condition or operations
• Increased transparency surrounding reporting on
  restated financial statements that go beyond
  current AICPA standards
• Adopted SAS No. 112 definitions for internal
  control deficiencies that originated from the
  PCAOB
• A significant deficiency is a control deficiency,
  or combination of control deficiencies such that
  there is more than a remote likelihood that a
  misstatement of the entitys financial statements
  that is more than inconsequential will not be
  prevented or detected
• A material weakness is a significant deficiency,
  or combination of significant deficiencies, that
  results in more than a remote likelihood that a
  material misstatement of the financial statements
  will not be prevented or detected

67
Old Versus New
68
Chapter 5 Reporting Standards for Financial
Audits

• Required to report significant deficiencies and
  material weaknesses in the GAS report on internal
  control over financial reporting and on
  compliance and other matters based on an audit
  performed in accordance with GAS
• Internal control deficiencies that are less than
  significant deficiencies can be reported in the
  management letter or verbally
• If communicated verbally-document communication
  in the audit documentation
• All of the above is effective for fiscal years
  ending on or after December 15, 2006!
• Linkage in audit reports to management letter if
  there are instances of noncompliance less than
  material but more than clearly inconsequential.

69
Chapter 5 Reporting Fraud, Illegal Acts, Other
Noncompliance, Abuse

• When auditors conclude that any of the following
  has occurred or is likely to have occurred, they
  should include in the audit report the relevant
  information about
• Fraud and illegal acts that are greater than
  inconsequential
• Material violations of contracts or grant
  agreements
• Material abuse
• No significant change from 2003 GAS revision

70
Chapter 5 Communicating Significant Matters

• Auditors may communicate the following matters
  when they become aware that such issues exist
• Significant concerns or uncertainties about the
  fiscal sustainability of a government or program
  significant to the financial condition or
  operations
• Unusual or catastrophic events that likely will
  have significant ongoing or future impact
• Significant uncertainties
• Any other matter that the auditors consider
  significant
• Determining whether to communicate in the
  auditors report is a matter of professional
  judgment
• Effective for 12/31/08 year ends

71
Chapter 5 Restatements

• Goes above and beyond AICPA responsibilities
• In response to frequent restatements of federal
  and other governmental financial statements
• Auditors should advise management to make
  appropriate disclosures when they believe it is
  likely that previously-issued financial
  statements are misstated and the misstatement
  could be material
• Auditors also have the following professional
  responsibilities
• Evaluate the timeliness and appropriateness of
  managements disclosure and actions to determine
  and correct misstatements in the
  previously-issued financial statements
• Report on restated financial statements
• Report directly to appropriate officials when the
  audited entity does not take the necessary steps

72
Chapter 5 Restatements (continued)

• Evaluating managements disclosure and actions
• Auditors should evaluate the following regarding
  managements disclosures and actions to determine
  and correct misstatements
• Acted in an appropriate time frame after new
  information was available
• Disclosed the nature and extent of known or
  likely material misstatements
• Disclosed whether specified information was in
  the entitys restated financial statements
• Report on restated financial statements
• Explanatory paragraph includes
• Disclosure that the previously-issued financial
  statements have been restated
• Statement that previously issued report should
  not be relied on and is replaced by a revised
  report
• Reference to the notes that discuss the
  restatement
• If applicable, reference to the report on
  internal control

73
Chapter 5 Restatements (continued)

• Report directly when the audited entity does not
  take the necessary steps
• Auditors should notify those charged with
  governance if entity management
• Does not act in an appropriate timeframe
• Does not restate with reasonable timeliness
• Auditors should inform those charged with
  governance that they should take necessary steps
  to prevent further reliance on the auditors
  report and advise them to notify oversight bodies
  and funding organizations
• If users not notified, auditors should do this
  notification

74
Chapter 6 Attestation Engagements

• Conforming changes have been made for the
  following items
• Definitions of internal control deficiencies
• Description of abuse
• Audit documentation
• Use of terminology to define professional
  requirements
• Reporting views of responsible officials and
  confidential and sensitive information
• Issuing and distributing reports

75
Chapter 7 and 8 Performance Audits

• Enhanced performance auditing standards that
  elaborate on the overall framework for
  high-quality performance audits by
• Defining the level of assurance associated with a
  performance audit as providing reasonable
  assurance that auditors have sufficient,
  appropriate evidence to achieve the audit
  objectives and support findings and conclusions
• Adding a section on concept of significance
• Adding a section on audit risk and specifically
  adding risk as a factor to be used in planning
  and evaluation of the evidence
• Added a section describing the auditors
  assessment of the collective evidence to support
  the findings and conclusions
• Added a section on information systems controls
  for the purpose of assessing audit risk and
  planning the audit

76
Chapter 7 and 8 Performance Audits (continued)

• Expanded the auditors compliance with GAS in the
  performance audit report
• Clarified and streamlined
• The auditors responsibility for reporting the
  views of responsible officials
• Reporting confidential and sensitive information
• For issuing and distributing reports
• When auditors comply with GAS, they use the
  following language in the report
• We plan and perform the audit to obtain
  sufficient appropriate evidence to provide a
  reasonable basis for our findings and conclusions
  based on our audit objectives
• We believe that the evidence obtained provides a
  reasonable basis for our findings and conclusions
  based on our audit objectives

77
Appendix Supplemental Guidance

• Does not establish additional GAS requirements
• Includes examples of
• Deficiencies in internal control
• Abuse
• Fraud risk
• Overall guidance includes guidance on determining
  whether laws, regulations or provisions of
  contracts are significant

78
2007 Revision Implementation Dates

• For performance audits, audits beginning on or
  after January 1, 2008
• For financial audits and attestation engagements,
  effective for audits of periods beginning on or
  after January 1, 2008
• Certain standards issued by the AICPA have
  earlier effective dates. Effective dates of
  those new standards apply to GAS audits
• Until the 2007 Revision becomes effective,
  auditors should adopt the terminology and
  definitions of SAS No. 112 in reporting on
  internal control

79
Questions?