Accounting and Auditing Standards Update2006 NSAA/NASC Joint Middle Management Conference Indianapolis, Indiana April 10, 2006.

Accounting and Auditing Standards Update—2006

NSAA/NASC JointMiddle Management ConferenceIndianapolis, IndianaApril 10, 2006

Effective Immediately Defining professional standards (SAS 102)

Effective for audits of June 30, 2007 F/S Audit documentation (SAS 103)

Effective for audits of June 30, 2008 F/S Risk assessment standards (SASs 104 –

111)

What We’ll Cover

What’s Coming AICPA Communicating Internal Control

Matters (SAS No. 112?) U.S. GAO Government Auditing

Standards (ED soon) OMB 2006 Compliance Supplement

(Final)

What We’ll Cover

Ethics Rulings (Nos. 113 & 114) Ethics Conceptual Framework

If Time Permits . . .

Our Objectives

As a result of today’s session, participants will be able to:Identify the key the concepts for recently

issued audit standardsFollow and understand the development

of current auditing standards projectsConsider the impact for auditing (or

being audited)

SAS No. 102 and SAE 13—Defining Professional Requirements

SAS No. 102 and SAE No. 13

Defines terminology to describe degree of responsibility to auditor

Unconditional—“Must” or “Is required” Presumptively mandatory—“Should” Explanatory—Descriptive guidance rather

than imperative Applies to existing standards

SAS No. 103—Audit Documentation

Audit Documentation Basics

In sufficient detail for an experienced auditor without connection to the audit to understand:Work performedResults of that workEvidence obtainedConclusions reachedAccounting records agree or reconcile with

the financial statements or other information.

Audit Documentation Basics

An experienced auditor is one who knows enough, including understanding of:Audit processSASs and legal/regulatory requirementsThe entity’s business environmentAuditing and financial reporting issues

relevant to the entity’s industry.

Audit Documentation Basics

Oral explanations are not sufficient support for work performed or

conclusions reached

More Documentation Guidance

What should be in or outElectronic mediaAbstracts and copiesSignificant findings and issuesSuperseded drafts and notesPrior versions

More Documentation Guidance

Identify preparer and reviewerWho performed the audit workThe date such work was completedWho reviewed specific documentationThe date and extent of such review

Document specific items tested

New Dates to Remember

Field workNo earlier than when sufficient evidence

exists to support the opinion Audit files assembled

Within 60 days after report release Retention

Minimum 5 years after report release

SAS Nos. 104–111—Risk Assessment Suite of Standards

Risk Assessment Standards

Most far-reaching change in standards in 20 years

Issued in March 2006 Amends or revises 8 existing

standards

Standards Amended or Revised Amends SAS 1, Due Professional Care Amends SAS 95,GAAS Planning and Supervision Understanding the Entity and Assessing Risks Audit Evidence Audit Risk and Materiality Performing Audit Procedures and Evaluating

Evidence Amends SAS 39, Audit Sampling

Risk Assessment Standards—Objectives More in-depth understanding of entity

and internal controls More rigorous assessment of risks of

misstatement Improved linkage between assessed

risks and audit procedures performed

Planning and Supervision

Enhances guidance onPreliminary activitiesAudit strategy and planEstablishing understanding with

clientCommunication with Governance

Understanding Entity/Assessing Risks Guidance for

Gaining understanding about entitySources of information

Discuss internal control components Describe risk assessment process

Audit Evidence

Enhances guidance onSufficiency of audit evidenceAudit procedures, incl. tests of controls

New assertionsClass of transactions (5)Account balances (4)Presentation and disclosures (4)

New Assertions

Class of transactionsOccurrenceCompletenessAccuracyCutoffClassification

New Assertions

Account balancesExistenceRights and ObligationsCompletenessValuation and Allocation

New Assertions

Presentation and disclosuresOccurrence and Rights and

ObligationsCompletenessClassification and UnderstandabilityAccuracy and Valuation

Risk and Materiality

Guidance forConsidering risk and materiality at the

financial statement levelConsidering risk and materiality at the

transaction, balance, or disclosure level

Reassessing materiality as audit progresses

Risk and Materiality

Evaluating misstatementsKnownLikelyIndividually and in the aggregateIron curtain versus rolloverQualitative

Performing Procedures

Design procedures that respond to risksDetermining overall responseTesting controls (encouraged)Substantive tests

Evaluate sufficiency of evidence

Tests of Controls

Auditors cannot default to “the Max” Tests of effectiveness “encouraged” Explains when controls must be tested

I/C test can be rotated once every 3 yearsAnnual update to confirm no changesTest annually, if changedLengthy discussion of IT controls

Communication of Internal Control Matters Identified in an Audit

Communicating Internal Controls

New definitionsControl deficiencySignificant deficiencyMaterial weakness

New thresholdMore deficiencies required to be identified

as significant or material

Snapshot of the Difference

Old Definitions New Definitions

Material weakness Material weakness

Reportable conditionSignificant deficiency

Management letter comment

Other internal control matter

U.S. GAO Temporary Exemptions and Guidance in Response to Hurricanes Katrina and Rita

The Quick and Dirty . . .

Temporary exemption for some from:Certain independence standardsPeer review requirementsContinuing professional education

requirements

The Quick and Dirty . . .

Guidance for some for:Required audits when auditee’s

records are lost or destroyedCompleted or in-process audit

documentation lost or destroyed before audit report issued

U.S. GAO Plans for Revising Government Auditing Standards

Yellow Book Revisions for 2006 GAO drafting Advisory Council reviewing Exposure draft in late April/early May 2006 Version issued late Summer/

early Fall Likely effective for 2007

Yellow Book Revisions for 2006 Strengthen audit quality Evidence and data reliability in

performance audits Expand categories of nonaudit

services Reporting deficiencies in internal

control

Yellow Book Revisions for 2006 Enhanced ethics discussion Auditor’s responsibilities for

restatements Use of GAGAS with other standards Clarification and clean up

Strengthen Audit Quality

ObjectivesIncreased emphasis on qualityIncreased transparencyConsideration of peer review and

internal inspection quality

Strengthen Audit Quality

Defines elements of QC systemEthical requirementsAcceptance and continuation of auditsHuman resourcesAudit performance and reportingMonitoring of quality

Strengthen Audit Quality

Defines “normal” monitoringFormal and documentedFor the entire yearCover all elements of QC systemReview of audit documentationPerformed by those not performing workWritten report and appropriate follow-up

Strengthen Audit QualityNew external peer review timeframes

If the most recent peer review is:

Adverse Annual external review

Modified Annual follow-up

Unmodified, no enhanced criteria

Triennial external review

Unmodified, with enhanced criteria

Quinquennial external review

Strengthen Audit Quality

Enhanced monitoring criteriaRigorous annual internal inspection

Review independence and human capital Review audits Survey professional staff Formal report to top management Consideration and corrective action

Strengthen Audit Quality

Enhanced monitoring criteriaTransparency: public disclosure of

Description of QC systemInternal inspection resultsExternal peer review opinion and letter

of comments

Strengthen Audit Quality

Enhanced monitoring criteriaOther criteria:

Most recent external peer review included review of inspection process

No major changesNo violations or sanctions

Evidence and Data Reliability for Performance Audits

ObjectivesClearly articulate level of assurance in

performance auditsImprove consistency in practiceUpdate concept of appropriateness of

data used as evidence

Evidence and Data Reliability for Performance Audits

Defining level of assuranceReasonable assurance over answers to

audit questionsReasonable assurance of adequate

support to achieve objectivesLevel of assurance and tests of evidence

will vary

Evidence and Data Reliability for Performance Audits

Sufficient, appropriate evidenceReplaces sufficient, competent,

relevantPrevious: competent = valid, reliableNow: appropriate = relevant, reliable,

valid

Evidence and Data Reliability for Performance Audits New “overall assessment of evidence”

Discussion for evaluating sufficiency and appropriateness

Assess data and information used as: Appropriate—gives reasonable assurance Not appropriate—unacceptably high risk for

use Undetermined appropriateness—cannot

conclude about appropriateness

Evidence and Data Reliability for Performance Audits Enhanced reporting

Expanded discussion of data assessments in Objectives, Scope and Methodology section

Expanded GAGAS citation—adds:“We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.”

Expand categories of nonaudit services

ObjectivesClarify other nonaudit services we

performReiterate need to consider in relation

to independence

Expand categories of nonaudit services

Four new categories on nonaudit servicesFor us, the legislature, or external partyRoutine activitiesProviding basic or limited servicesActivities replacing entity

Expand categories of nonaudit services

Legislature/others Would not impair

Routine activities Would not impair

Limited services Safeguards needed

Replacing entity Would impair

Reporting Deficiencies in Internal Control

Objectives—consistency with PCAOB and AICPA

Same revisions as AICPA’s new revisions

New reporting requirements

Reporting Deficiencies in Internal Control

New reporting guidanceMaterial weaknesses in I/C ReportSignificant deficiencies

Can be in same reportCan be in separate report, if issued to same recipients within 45 days

Reporting Deficiencies in Internal Control New challenges for auditors

Timing of issuing I/C Report—same as financial statements

How to report significant deficiencies—in same report or separate?

Applying language to single audit

Enhanced Ethics Discussion

ObjectivesClarify ethical requirementsHighlights ethical responsibilitiesExpand discussion of professional

judgment

Auditor’s responsibilities for restatements Objectives

Provide guidance for growing problem (in federal financial statements)

Requires auditors to assess management’s judgments, adequacy and timeliness

Requires auditors to communicate to entity and others, if entity fails to do so

Other Standards and Cleanup

Guidance for audits under multiple standards

Defining must, should and should consider

Sundry other minor items

U.S. OMB 2006 Compliance Supplement

2006 Compliance Supplement

Will be a complete version Drafts have been circulated Plan to issue soon Appendix V for list of changes

Part 3—Compliance Requirements

Updated to reflect reissuance of Cost Circulars and cost principles

Clarify common rule requirements Auditors to be alert for Improper

Payments Suspension and debarment

changes

Part 4—Agency Program Requirements Added Food for Peace Program (CFDA

98.008) Changes to Public Works and Economic

Development (CFDA 11.300) and Economic Adjustment (CFDA 11.307)

Lots of isolated/reference/changes changes

Part 5—Clusters of Programs

Updated R&D cluster for areas of vulnerability

Deleted Health Education Assistance Loans (93.108) from SFA Cluster

Added eZ-Audit to SFA program requirements

App. VI—Federal Agency Waivers

Recipients affected by Hurricanes Katrina and Rita (& Wilma)

Auditors should:Verify waiversConsult Dept.’s Internet Home PageStart with Parts 4, 5, or 7, then waiversReport finding if noncompliance and no/invalid

waivers

App. VI—Federal Agency Waivers

Part 3—Davis-Bacon Act Part 4—Table of programs affected

by waivers; and details by CFDA No. Part 5—SFA Cluster

No Changes

Part 6—Internal control Part 7—Guidance when not included App. I—Common Rule exclusions App. II—Federal agency codification App. VII—A-133 advisories App. VIII—SAS 70 for EBT

Updated References

App. III—Federal agency contacts App. IV—Internal references table App. V—List of changes App. IX—Supplement core team

Do we have time?

Ethics Rulings No. 113 and 114—Gifts or Entertainment

Auditors and Gifts or Entertainment

An auditor can offer or accept gifts or entertainment from his or her client (or a vendor), and not impair the auditor’s independence, ifThe gift is insignificant in valueThe gift or entertainment is reasonable

in the circumstances

What’s Reasonable?

Circumstances to considerNature of gift or entertainmentOccasionCost or valueFrequency and value of other giftsIn or around conducting businessWhether others participatedWho participated

Arizona’s Code of Ethics The employee shall not accept or solicit, directly or

indirectly, anything of economic value as a gift, gratuity, favor, entertainment, or loan that is or may appear to be designed to in any manner influence official conduct, particularly from a person who is seeking to obtain contractual or other business or financial arrangements with the employing agency, or who has interests that might be substantially affected by the performance or nonperformance of the employee's duty.

Arizona’s Code of Ethics This provision does not prohibit acceptance by an

employee of food and refreshments of insignificant value on infrequent occasions in the ordinary course of a meeting, conference, or other occasion where the employee is properly in attendance, nor the solicitation or acceptance by an employee of loans from banks or other financial institutions on customary terms to finance proper and usual activities of the employee, nor the acceptance of unsolicited advertising or promotional material such as pens, pencils, calendars, and other items of nominal intrinsic value.

Ethics Conceptual Framework for Independence Standards

Ethics Conceptual Framework

Risk-based tool used by Ethics Executive Committee

Now can be used by auditors when not addressed in existing rulings and interpretations

Risk Based Approach

Identify and evaluate threatsIf threats at acceptable level, no

safeguardsIf threats not at acceptable level,

consider safeguards

Risk Based Approach

Do safeguards eliminate or sufficiently mitigate threat?Use of one or more safeguards against

threatOne safeguard may eliminate one or

more threatsIf safeguards are unavailable or

ineffective, independence is impaired

Risk Based Approach

Definitions Threats—7 types explained Safeguards—3 categories

Created by profession or regulationImplemented by auditeeImplemented by auditor

And More to Come!

Internal Control Attestations—ED Communications with Governance

—ED Quality Control—ED soon Related Parties—ED soon

That’s About It!

Any Questions?