11 OVER AND UNDER AUDITING 2014 Boston AGA Chapter January 23, 2014 Art Hayes [email protected].

11

OVER AND UNDER AUDITING2014

• Boston AGA Chapter

• January 23, 2014

• Art Hayes

• www.hayesways.com

• [email protected]

22

Why would you change what you are already doing?

• Doesn’t it seem that you are pretty successful?

• Isn’t there risk in changing? Maybe it won’t work out as well as what you are doing now?

• And what if you are not so sure you are doing the right thing—then won’t there be even greater reluctance to try something new and maybe screw up even more and even be detected?

3

So, before we start we need to see if we can answer two basic

questions

• 1. ________________________

• 2. ________________________

4

• A word about the perspective…• The way we do our audits is inextricably

tied into questions of ethics.• Re Ethics—can we just “hide” behind more

work we have to do? • The ultimate test=how well did you utilize

your resources and how good was the quality of the work product you gave to your client.

5

The basics

• What do we have to do?

• How do we know what we have to do?

• What else is there that we do?– The “extras”?

• is there any room for slack?– Do we have any time for side trips?– What is a side trip?– Is it a part of the mission?– Did we waste that time? Do it for nothing?

6

Our basic activities

• Risk assessment procedures (performed in every engagement) include:– Inquiries of management and others within the entity– Analytical procedures– Observation and inspection

7

88

• Top ten (or so?) over and under auditing dilemmas

• And tools to address them

• Finding the right balance between drive by audits and the never ending story

– Hint: this does not mean less work

The double edged sword

• Professional judgment– Is it truly subjective?

• Is there an objective measure/test to what we do?– Peer review?– Media?– Snitches?

9

What is our real mission/purpose/vision?

• To critique and report?– Our independent role

• To improve their operations?– To strive for the betterment of the overall

concerns of taxpayers?

• To improve their ability to safeguard their assets and information?

10

1111

• What is the greatest under-auditing trap?

• What is the greatest over-auditing trap?

• How do you determine the answers for your entity?

1212

1313

• True or False• 1. Relatively inexperienced auditors will more likely

than not result in under auditing, at least as regards detecting fraud.• 2. Relatively seasoned auditors will more likely than

not result in over auditing, since they will tend to do the same work they are accustomed to do, on automatic pilot.

• 3. A way to control under auditing is to utilize auditee personnel to do some of the audit work.

• 4. Independence issues are irrelevant to the issue of over and under auditing.

• 5. There are many factors in an audit engagement that affect over and under auditing that are beyond the control of the auditors

1414

• TOP TEN OR SO DILEMMAS– Not enough staff.– Not enough time.– So much to look at.– So many standards.– The Easter egg hunt phenomenon.– We are not clairvoyant.– They could gang up on us.– They seem so nice.– The learning curve and predictability.– We don’t want to look stupid!!

15

TOP TEN OR SO POSSIBLE SOLUTIONS

• 1.  KNOW YOUR ENTITY.  Take the time to talk to people.  Learn as much as you can about the industry, the operations and the challenges.  The more you know, the better you can design your steps, the more guesswork you can avoid, and the better you can aim your efforts at where the risks are. 

16

• 2.  AUDIT TO RISK.  After learning about your entity, critically revisit your audit program, particularly if you have a canned audit program.  We must concentrate our limited hours in the areas of most importance.  And let the other areas go.....

17

•3.  For CAFRS, understand opinion units.  Use the right materiality levels for the right funds.  Use work from one opinion whenever you can to support the work of a government-wide opinion unit.  Don't duplicate effort just because they are different opinion units.

18

• 4.  Use CAATS when you can rather than detailed testwork.  For some types of analysis, CAATS can be much more effective than detailed testwork. 

19

• 5.  Don't shy away from using analytical procedures as your sole support if there are not significant risks and if there are solid relationships in the analyticals and the expectations can be explained and relied on.

20

• 6.  Don't allow scope creep.  We deal with legislative bodies and other oversight that would like us to look at everything.  We have to be able to identify the additional effort required for each additional request and do our best to gently persuade the interested parties that it will have to wait or be part of a separate effort. 

21

• 7.  When scope creep does occur, we must remember to remove the procedures the next year.  Too often, we let something into the audit program and we never get it out.  By the time someone wonders why a certain step that doesn't support the opinion is in the audit program, it has already been completed.  Or we look at the step and think it's a pretty good step and a worthwhile procedure, but forget that it is not necessary for the opinion.

22

•8.  Cut the extra compliance steps that have no chance of being material noncompliance.  Too many rules are tested that are good to know, but don't support the opinion.  If we find a few payments that weren't made within the prompt payment act parameters, will it really affect our opinion or our report?

23

• 9.  Limit your attributes to only the substantive questions that support the opinion and only the key internal controls (if relying on internal control.)  Don't make a big laundry list to review for every single transaction.

24

• 10.  Be cautious with your sampling.  Reconcile, reconcile, reconcile.  People sometimes ask for listings of the main types of receivables and test away without considering what percent of the total receivable total they have.  You could be missing a larger than comfortable percent of the total. 

25

• 11.  Understanding the overall balance is also important from the overauditing standpoint. 

• Always make sure you know how much you need to be testing overall and understand what population you are talking about before you develop your steps and sampling plan.

• 12.commemorate/communicate/coordinate/consolidate

• From this day forward, keep track of over and under-under auditing tendencies and communicate this to staff

• Make it a part of audit huddles

• Develop a central data base

26

The top nine things that prevent auditors from finding problems/fraud, per a staff

survey•  

– lack of time– lack of documentation at the auditee– not knowing what the real procedures are at the

agency– lack of knowledge about such problems/fraud– lack of knowledge and understanding of information

technology issues– so many auditing procedures to do– isolation of the auditors on site– fear of crying wolf– fear of making the auditee mad

27

Possible solutions to these obstacles*.

• Look at the current “required” audit steps and determine if they are really “required” and eliminate (or do every other year) if possible.

• Having more auditors with medical expertise and mental health training

 • Rotate auditors as well ask keep some on the audit with

knowledge of ways to “beat the system”

 • * from my staff survey

28

Things that assist me in finding problems

• CAATS• OK, I’ll admit it. I like to find the big issues (I

don’t find them very often, and they are not necessarily fraud)—but I get a real charge out of finding stuff! I think the thing I rely on most is a skepticism where I pretty much assume that anything unusual I see is a problem until I can assure myself that it is not.

29

• True, this goes against the “American Way,” in which we assume innocence until we prove guilt. However, if it walks like a duck, quacks like a duck, and swims like a duck, I’m going to assume it’s a duck until someone can be pretty convincing that its not a duck!

30

• Conversations with staff around the office. I believe that interdisciplinary thought groups would allow the exchange of ideas, experiences, and problems and bring to light potential issues. E-mail is a wonderful and efficient tool for communicating knowledge, but it does not replace conversation as a “trigger” for recollections and experiences that may have fallen out of mind. There have been several occasions in my life where a comment or event did not seem significant at the time, but later became a critical issue with the development of more information

31

 •Provide more training that directly relates to types of problems/fraud we might encounter on an audit with focus on the mechanics of schemes and how those schemes can be detected•When the existing audit programs are revamped for new procedures under new standards, make sure that managers and in-charges understand that more time may be needed to complete the audit, and remind them that we are here to perform quality audits, not to establish bragging rights by trying to finish the audit in less time than the previous auditors

32

• Emphasize to auditors that it’s OK to ask as many questions as they want, and they should continue asking questions until they are satisfied with and completely understand the answers; the auditee’s attitude does not control the amount of questions

• Explain the roles of each section in our office and what each section does, and emphasize that every section must be on the lookout for problems/fraud when performing work; the auditors in each section should be made aware of what to do if fraud is found and should understand the process of handling a fraud allegation and who performs the various tasks related to handling the allegation; the auditors should also understand that fraud investigations may require the assistance of auditors from various areas of our office and are not just handled by Investigations

33

• Emphasize that it’s better to make a big deal of an issue that could indicate fraud and find that it’s not fraud, rather than pass over the issue and find out later that fraud was occurring

34

• Asking questions about things that look odd• Giving careful thought to answers that the

auditee gives me to make sure the answers are plausible and make sense

• Asking for documentation whenever possible to verify auditee statements

• Gaining an understanding of the procedures that may apply to the area I’m looking at (purchasing, contracts, etc) so that I can determine if anything appears out of place

35

• Asking other auditors for their opinion on issues that look strange (the other auditor might notice something I overlooked or might be able to share experience or expertise with the issue in question)

• If the auditee gives a statement that involves the activities or participation of other individuals, following up with those individuals to verify the auditee’s statements (for example, if Bob says that Fred told him about something, ask Fred if he really did)

• Asking the auditee where his or her information came from

36

• Encouragement from my superiors and co-workers• Training classes • Experience on the audit. The more years that I am

on a particular audit, the more likely I am to uncover some irregularity

• Conscientious, talented auditors to work with me• Guidance from managers• Knowledgeable internal auditors at the auditee•  

37

Improving auditor skepticism through cognitive dissonance theory

• Is objectivity a myth?38

• How much do we struggle to not have an open mind (by holding onto our assumptions/biases/beliefs) when we profess to have an open mind?

• As professionals, we are expected to employ critical thinking in analyzing information/evidence

• This includes weighing conflicting information from various sources

• But are we to be totally objective?

• The scientific method is designed to prove that a hypothesis is true??

• What is the main role of attorneys?

38

• Two main perspectives:

• What we tell ourselves to justify what we do..staying off the slippery slopes

• Our possible predispositions to whether we think a person or an organization is trustworthy

– And how those notions may affect our evaluation of what they say or do

• What others tell us to justify what they have done or not done

– And whether we buy off on it

• If this sounds familiar, it is what we tell friends/family when they have been hurt

– It wasn’t your fault/they were jerks/you are better off without him/her/that job• And the basis of cognitive reframing therapy

39

• What are the two primary types of mistakes we can make in evaluating information?– False positives– False negatives

– Which is worse?

40

Purpose of this session

• To assist you in recognizing the traps we all can fall into when we are evaluating information and evidence

41

• When our brains are made up, it is very hard to change them

• Cognitive dissonance—a state of tension created whenever a person holds two cognitions (ideas, attitudes, beliefs, opinions) which are psychologically inconsistent. Leon Festinger

• Smoking is not a good thing, it can kill me; I smoke two packs a day

42

4343

• It produces mental discomfort– From minor pangs to deep anguish

• We don’t rest easy until we find a way to reduce it

• Quit smoking• Convince yourself smoking isn’t so bad

– Or it is worth the risk because it helps me relax, or prevents me from gaining weight (another health risk)

43

44

Three primary applications to auditing and accountability

• Auditors and the need to remain objective in skeptically analyzing audit evidence

• Management and those charged with governance who need to remain objective and vigilant to indicators of possible fraud, waste or abuse through designing, establishing and monitoring effective internal controls

• All of us as human beings who can trip down that ol’ slippery slope

45

Auditor responsibilities per SAS 99

• Paragraph 14: when responses to inquiries of management, those charged with governance, or others are inconsistent or otherwise unsatisfactory (for example, vague or implausible), the auditor should further investigate the inconsistencies or unsatisfactory responses.

46

• Paragraph 14: maintain the proper questioning mind throughout the audit

• Paragraph 15: the questioning mind should include setting aside any prior belief that management is honest and has integrity and consider the risk of management override of controls

47

• Paragraph 15:

• Consider known external and internal factors that might: 1.create incentives/pressures to commit fraud, 2. provide opportunities for fraud to be perpetrated and 3. indicate a culture or environment that enables rationalization for committing fraud

48

• Paragraph 16: professional skepticism should lead auditors to continually be alert for information or other conditions that could indicate that MMDF may have occurred

49

• Paragraph 16: professional skepticism should lead auditors to thoroughly probe the issues, require additional evidence as necessary, consult with other team members and, if appropriate, experts in the firm, rather than rationalize or dismiss the information or other conditions indicating that a MMDF may have occurred.

50

Requirements of SAS 109

• Paragraph 19: the auditor should plan and perform the audit with an attitude of professional skepticism, which should be exercised throughout the audit engagement– Auditors should be rigorous in following up

on indications of MMDF or error– Auditors should be alert for information or

other conditions indicating a MMDF/E may have occurred.

5151

MORE TOOLS FOR CONTROLLING OVER- AND UNDER-AUDITING (or contributing to them?)

– SAS 102, when must means must, or the real bottom lines– SAS 103, documentation and the no singing rule/lockdowns – SAS 104-111, The Risk Assessment Suite– SAS 99, fraud audits– SAS 112, more significant deficiencies/material weaknesses??– What did we know and what did we do with it?– What should we have known and what should we have done?– What did we not do?– What did we document?– Did we act like an auditor or a consultant?– Did we feel independent?

5252

• HOW WE USE THOSE TOOLS– Make everyone accountable– Give everyone authority– Question everything– Be courageous– Accept that there will be some boo boos– Develop processes for sharing successes and

failures among teams

5353

• BEING YOUR OWN CONSULTANT:– A task force?

• All volunteer– But don’t neglect to add as necessary

• Cross section• Top official part and parcel of it

• Over-arching considerations– Basic philosophy

– processes• Everything is on the table• Keep minutes• Distribute beyond the task force

– And ask for comments

5454

• Processes, continued– Deadlines-the ultimate deadline

• And mini-deadlines

– Assignments– Paragraph by paragraph

5555

• OUTPUT:– Internal control questionnaires– Audit programs– Technical tools– New devices

• Mini rep letters• Tougher findings and recommendations

– CAATALOGS

5656

• OUTCOMES:– You show me yours, I’ll show you my risk

assessment– Symmetry of motion– Confluence of intent and purpose– Increased communication and understanding– Better division of labor

5757

• Some of the major risks to consider (just possibilities, each entity has to consider their particular situation):– Over ride

• Not just by management, but especially by management• Special handled approvals• High level approval of routine transactions• A sob story

– Lack of segregation of duties• Functional as well as organizational

5858

• The possibility of greed entering the picture (Ooops, even in the public sector)– Conflicts of interest– Bribes– Abuse of authority and position/property– Bonus rounds– Slush funds

• The fallacy of “compensating controls”– They are really going to do something indirectly that

they can’t do directly?

5959

• Good sources of information– The appendices to SAS 109

• A-Understanding the Entity and its Environment• B-Internal Control Components• C-Conditions and Events That may Indicate Risks

of Material Misstatement

6060

• Monitoring activities:– Should be on a regular basis– Totally dependent on the adequacy of the

original source documentation– Should be performed by someone

independent of the transactions– They should understand why they are doing

this, its importance and what they should do if they detect a problem

6161

• They should ask about any “exceptions” to the rules– Unexpected problems– New ideas about ways to improve the system

that haven’t yet been documented– How are any exceptions documented?

• There should be an environment that is open to changes and the need to do things differently

– Just make sure it is communicated upward and the rules are adequately amended

6262

• Any problems of any kind should be documented and communicated to a higher level– The higher level needs to really look at the

exceptions and do something about them– All of this should be documented– When the “problems” suggest fraud, waste or

abuse, they should receive special attention• Setting the tone• There are consequences

6363

• SOME BEHAVIORS AND THOUGHTS THAT LEAD TO OVER AND UNDER AUDITING– Failure to read the standards– Failure to read the standards– Failure to read the standards– Failure to try to understand the standards– Failure to try to apply the standards to your

audit engagements

6464

• BAD BEHAVIORS AND THOUGHTS continued:– Non-critically relying too much on instructors

at conferences– Rationalizing away problems/failing to

exercise professional skepticism– Asking questions without analyzing the

answers and non-answers– Failing to follow up on issues

• Failing to recognize issues in the first place

6565

• BAD BEHAVIORS AND THOUGHTS continued:– Spending too much time spinning our wheels

in deciding whether we have a problem or not– Asking questions we don’t understand– Not applying what we learn in one situation to

other situations (reinventing that ol’ wheel)

6666

• A COUPLE OF AREAS OF GREAT OPPORTUNITY:– IT processes– Waste and abuse section– Better findings– huddles

6767

• HUDDLE CONSIDERATIONS:– THREE STRATA TO CONTINUE:

• Over-all philosophy of the audit organization• The scope of individual audits• The actions of individual auditors

• “Inside the audit huddle with Art”• Association of government accountants’ journal of

government financial management, summer and fall 2007

• www.agacgfm.org

686868

• Risk assessment procedures (performed in every engagement) include:– Inquiries of management and others within the entity– Analytical procedures– Observation and inspection

• There are inherent limitations in internal control, including:– Risk of management over ride– Possibility of human error, and– The effects of system changes

68

6969

• Therefore, regardless of the assessed risk of MM, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of T/A’s, account balance, and disclosure– To obtain sufficient appropriate audit evidence

69

7070

• Inquiry consists of seeking information of knowledgeable persons, both financial and non-financial, inside or outside the entity.– It is an audit procedure that is used

extensively throughout the audit and• Often is complementary to performing other audit

procedures

– SAS 106, P. 31

7171

• The auditor should perform audit procedures in addition to the use of inquiry to obtain sufficient appropriate audit evidence (SAAE).– Inquiry alone ordinarily does not provide

SAAE to detect a MM at the relevant assertion level

– Moreover, inquiry alone is not sufficient to test the operating effectiveness of controls

7272

• Nor is inquiry alone sufficient to evaluate the design of a control relevant to the audit and to determine whether it has been implemented.

72

7373

• Responses to inquiries may provide the auditor with information not previously possessed, or– With corroborative audit evidence

• Alternatively, responses might provide information that differs significantly from other information the auditor has obtained, for example– Regarding the possibility of management over ride

• The auditor should resolve any significant inconsistencies in the information obtained.

747474

• effectively eliminates the auditor’s ability to assess control risk at the maximum without having a basis for that assessment, i.e., to “default” to maximum control risk, with no adverse consequences for the auditor or the auditor’s client:– The auditor should assess the risk of MM as a basis

for further audit procedures; although that risk assessment is a judgment rather than a precise measurement, the auditor should have an appropriate basis for that assessment

74

75

– This basis may be obtained through the risk assessment procedures performed to obtain an understanding of the entity and its environment, including its internal control, and

– Through the performance of suitable tests of controls to obtain audit evidence about their operating effectiveness.

– SAS 107, P. 23

– Assessed risks and the basis for those assessments should be documented SAS 109, P. 122. c

7676

• Although the auditor has no responsibility to plan and perform the audit to detect immaterial MS’s– There is a distinction in the auditor’s response to

detected MS’s depending on whether those MS’s are caused by error or fraud.

• When the auditor encounters evidence of potential fraud, regardless of materiality, the auditor should consider the implications for the integrity of management or employees– And the possible effect on other aspects of the audit

777777

Provides that the auditor “must” consider audit risks and materiality for the F/S’s taken as a whole for certain specified purposes

77

787878

Those purposes are:– determining the extent and nature of risk

assessment procedures– Identifying and assessing the R/MM– Determining the nature, timing and extent of

further audit procedures, and– Evaluating whether the FS’s taken as a whole

are presented fairly, in conformity with GAAP

78

797979

• The auditor must accumulate all known and likely MS’s identified during the audit– Other than those the auditor believes are trivial

• And communicate them to the appropriate level of management• On a timely basis

• Trivial-amount set so that any such MS’s, either individually or when aggregated, would not be material to the FS’s, after the possibility of other undetected MS’s is considered.

• The auditor should request management to respond appropriately when MS’s are identified during the audit

79

8080

• Because generally IT processing is inherently consistent, performing audit procedures to determine whether an automated control has been implemented may serve as a test of that control’s operating effectiveness– Depending on the auditor’s assessment and

testing of IT general controls, • Including computer security and program change

control.

80

• As noted at page 256 of the audit guide:– SAS 105 emphasizes the link between

understanding the entity, assessing risks, and the design of further audit procedures.

– It is anticipated that “generic” audit programs will not be an appropriate response for all engagements because risks vary between entities.

81

82

• MORE WORK PROBABLY:– SAS 109 introduces the concepts of

“Significant Risks” and other “Risks for Which Substantive Procedures Alone do not Provide Sufficient Appropriate Audit Evidence

838383

• Whether the risk is a risk of fraud.• Whether the risk is related to recent significant economic,

accounting, or other developments and, therefore, requires specific attention.

• The complexity of transactions.• Whether the risk involves significant transactions with

related parties.• The degree of subjectivity in the measurement of financial

information related to the risks, especially those involving a wide range of measurement uncertainty.

• Whether the risk involves significant nonroutine transactions which are outside the normal course of business for the entity, or otherwise appear to be unusual.

8484

• if the auditor intends to rely on the controls that mitigate a SR, the auditor should rely on tests of those controls performed in the current audit– The greater the R/MM, the more audit evidence

the auditor should obtain– The auditor should consider information obtained

in prior audits in designing the tests, but not rely on that prior evidence re reliability of the controls

• Per the reference to SAS 110, PP. 45-53 re SR’s: P. 45:

84

8585

• The more sufficient the evidence from testing the controls, the less substantive testing the auditor can perform

85

8686

• The more the auditor relies on the operating effectiveness of the control in assessing risk, the more the auditor should increase the extent of the testing of the control

• As the rate of expected deviation from a control increases, the auditor should increase the extent of the testing of the control– SAS 110, P. 48 86

8787

• Generally IT processing is inherently consistent– Hence the auditor may be able to limit the

testing to one or a few instances of the control operation.

• An automated control should function consistently unless the program is changed.

87

8888

• Once the auditor determines that an automated control is functioning as intended– The auditor should perform tests to determine that

the control continues to function effectively

• Such tests might include:– Determining that changes to the control were not

made without being subject to the appropriate program change controls

– That the authorized version of the program is being used, and

88

8989

– That other relevant general controls are effective.

– That changes to the programs have not been made

• As may be the case when the entity uses packaged software applications without modifying or maintaining them

– The auditor may test the administration of IT security to obtain audit evidence that unauthorized access has not occurred during the period

89

9090

• The characteristics of routine, day to day business T/A’s often permit highly automated processing with little or no manual intervention.

• It may not be possible to perform only substantive procedures re the risk.

90

9191

• Audit procedures the auditor may assign to a professional possessing IT skills include– Inquiring of an entity’s IT personnel how data

and T/A’s are initiated, authorized, recorded, processed and reported, and

• How IT controls are designed

– Inspecting systems documentation;– Observing the operation of IT controls; and

• Planning and performing tests of IT controls

91

9292

• The guidance provided by SAS 109 relating to documentation is significantly greater than that provided by previous standards (P. 122)

939393

• SAS 110 expressly requires you to document your linkage between assessed risks and further audit procedures, with regard to both:– An overall assessment at the FS level and – Further audit procedures responsive to the

assessed risk of MM at the relevant assertion level

– Express linkage was not a requirement under previous standards

93

9494

• SAS 110 refers back to SAS 109, P. 102 for these requirements re the overall assessment:

• The auditor should:– Identify risks throughout the process of

obtaining an understanding and considering the classes of T/A’s, account balances and disclosures

– Relate the identified risks to “what can go wrong” at the relevant assertion level

94

959595

• SAS 110 points out that the nature of further audit procedures is more important than the timing or extent of them (P. 7)– Increasing the extent of your audit procedures

will not compensate for procedures that do not address the specifically identified risks of MS

95

969696

• SAS 110 provides that you should perform certain substantive procedures on all engagements. Those procedures include:– Performing substantive tests for all relevant

assertions related to each material class of T/A’s, account balance, and disclosure

• Regardless of the assessment of risk of MM (P. 51)– Agreeing the FS’s, including their accompanying

notes, to the underlying accounting records– Examining material journal entries and other

adjustments made during the course of preparing the FS’s (P. 52)

96

9797

• Re timing of the tests:

• Using audit evidence about the operating effectiveness of controls obtained in prior audits:– The auditor should obtain evidence about whether

changes have occurred to those specific controls subsequent to the prior audit

• Through a combination of observation, inquiry and inspection

– To confirm the understanding of those specific controls. (P. 40)

97

9898

• Eg. In a prior audit the auditor may have determined that an automated control was functioning as intended.

• In order to determine whether changes have occurred to that control have been made that affect its continued effective functioning, the auditor may:– Inquire of management and

• Inspect logs to determine if changes have been made to it (P. 40)

98

9999

• If the controls have changed since the prior audit– Have the changes affected continued audit

reliance on the controls• i.e., changes that cause data to be accumulated or

calculated differently

– Vs. changes that do not affect reliability:• Changes that enable an entity to receive a new

report from the system• (P. 41)

99

100100

• If, based on the understanding of the entity and its environment, the auditor plans to rely on controls that have not changed since they were last tested, – The auditor should test the operating

effectiveness of such controls at least once in every third year in an annual audit (P. 42)

100

101101

• BUT, the auditor may not rely on audit evidence about the operating effectiveness of controls obtained in prior years for– Controls that have changed since last

audited, or– For controls that mitigate a Significant Risk

• (P. 42 and reference to PP. 40 & 45)

101

• The auditor should perform the following risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control:

• a.    Inquiries of management and others within the entity• b.    Analytical procedures• c.    Observation and inspection• AU Section 314• Understanding the Entity and Its Environment and Assessing the Risks of Material

Misstatement

• Source: SAS No. 109.

• Section 6

106

• The auditor is not required to perform all the risk assessment procedures described above for each aspect of the understanding described in   paragraph 21

• However, all the risk assessment procedures should be performed by the auditor in the course of obtaining the required understanding.

107

.21

• In addition, the auditor might perform other procedures where the information obtained may be helpful in identifying risks of material misstatement.

• For example, in cooperation with the entity, the auditor may consider making inquiries of others outside the entity such as

108

• the entity’s external legal counsel or valuation experts that the entity has used

• and

• Reviewing information obtained from external sources such as reports by analysts, banks, or rating agencies; trade and economic journals; or regulatory or financial publications

109

• Although much of the information the auditor obtains by inquiries can be obtained from management and those responsible for financial reporting

• inquiries of others within the entity, such as production and internal audit personnel, and other employees with different levels of authority, may be useful

110

• inquiries of others within the entity, such as production and internal audit personnel, and other employees with different levels of authority, may be useful

• in providing the auditor with a different perspective in identifying risks of material misstatement

111

• In determining others within the entity to whom inquiries may be directed, or the extent of those inquiries

• the auditor should consider what information may be obtained that might help the auditor in identifying risks of material misstatement.

112

• For example:

• Inquiries directed toward those charged with governance – may help the auditor understand the

environment in which the financial statements are prepared.

113

• Inquiries directed toward internal audit personnel – may relate to their activities concerning the

design and effectiveness of the entity’s internal control

• And– whether management has satisfactorily

responded to any findings from these activities.

114

• Inquiries of employees involved in initiating, authorizing, processing, or recording complex or unusual transactions – may help the auditor in evaluating the

appropriateness of the selection and application of certain accounting policies.

115

• Inquiries directed toward in-house legal counsel – may relate to such matters as litigation,

compliance with laws and regulations– knowledge of fraud or suspected fraud affecting

the entity,– warranties, post-sales obligations,

arrangements (such as joint ventures) with business partners

– and the meaning of contract terms.116

117117

4U

1. This is the single most important idea I got from this session.

_____________________________________________________

2. This is why it is important (This what I will gain from its

use):________________________________________________

3. This how I will use it: (What to do) (How to do it) (When to do it) (With whom) _____________________________________________________

4. This is share these ideas with _____________________________ not later than ________________ because ___________________________

118118

GOOD LUCK

I HOPE I HAVE HELPED!

REMEMBER—

IT IS NEVER TOO LATE

TO HAVE A HAPPY CHILDHOOD