AICPA Auditing Standards Update: Change, Change, Change… NASACT Audio Conference April 19, 2006 Presented by Frank Crawford, CPA President, Crawford & Associates, P.C. www.crawfordcpas.com [email protected]
Mar 27, 2015
AICPA Auditing Standards Update: Change, Change, Change…
NASACT Audio Conference
April 19, 2006
Presented by Frank Crawford, CPA
President, Crawford & Associates, P.C.
www.crawfordcpas.com
Slide 2
Objectives today
• Review recently issued Generally Accepted Auditing Standards (GAAS)
• Assess impact of standards on the auditing profession
• Take questions
• Consider career change
Slide 3
Background
• AICPA audit standard-setting appeared to be on hold the last few years
• However the ASB appears to have returned with a flurry of new standards
• Overall focus is now attempting to “mirror” the International Audit and Attestations Standards Board (IAASB) Standards
Slide 4
Recently Issued Documents
• Standards issued recently– 102, Defining Professional Requirements in
Statements on Auditing Standards– 103, Audit Documentation– 104-111, Audit Risk Assessment Suite of
Standards
Slide 5
Recently Issued Documents
• Exposure drafts outstanding– Amendment to SAS 69, The Meaning of Present
Fairly…(applicable only for nongovernmental entities)
– Proposed Statement on Standards for Attestation Engagements, Reporting on an Entity’s Internal Control Over Financial Reporting
– Proposed Statement on The Auditor’s Communication With Those Charged With Governance
– Proposed Statement on Communication of Internal Control Related Matters Noted in an Audit
Slide 6
SAS 102
• This Statement on Auditing Standards (SAS) sets forth the meaning of certain terms used in SASs issued by the Auditing Standards Board in describing the professional requirements imposed on auditors.
• This statement was effective upon issuance…
Introduction to SAS 102
Slide 7
• SASs use two categories of professional requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors, as follows:– Unconditional requirements. The auditor is
required to comply with an unconditional requirement in all cases in which the circumstances exist to which the unconditional requirement applies. SASs use the words must or is required to indicate an unconditional requirement.
SAS 102
Professional Requirements
Slide 8
– Presumptively mandatory requirements. The auditor is also required to comply with a presumptively mandatory requirement in all cases in which the circumstances exist to which the presumptively mandatory requirement applies; however, in rare circumstances, the auditor may depart from presumptively mandatory requirement provided the auditor documents his or her justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the objectives of the presumptively mandatory requirement. SASs use the word should to indicate a presumptively mandatory requirement.
SAS 102
Professional Requirements
Slide 9
SAS 102 - Defining Professional Requirements
• It’s hard to believe that we need a SAS to tell us that
– Must means must; – Is required means is required; and – Should means should, but explain if you don't
• But, oh well…
Slide 10
SAS 103 - Audit documentation
• SAS 103– Audit Documentation
• Effective for audits of financial statements for periods ending on or after December 15, 2006
• Bringing GAAS more in line with what the Yellow Book standards have required for a number of years
– Uses and “experienced auditor” reference point
– Lists factors to consider when determining the nature and extent of audit documentation over particular areas
– Requires documentation of who performed the audit work, the date is was performed, who reviewed it and the date it was reviewed
Slide 11
SAS 103 Audit documentation • SAS 103
– Audit Documentation• Bringing GAAS more in line with what the Yellow Book
standards have required for a number of years– Provides guidance to the auditor when making changes to
audit documentation after delivery of the auditor’s report– Gives the auditor 60 days from the delivery of the audit
report to get all of their audit files assembled and in order– Certain audit documentation retention issues (5 years)– Document also contradictory, inconsistent conclusions and
how they were resolved, and to justify any departure from the SASs
– Don’t date the audit report until you have gathered enough evidence that the financial statements are fairly presented, evidence which includes both the preparation of, and management’s review, evaluation, and acceptance of responsibility for, the financial statements
– The theory being that it must be tough to opine on something nobody has yet seen, including the auditor…
Slide 12
SAS 104-111, Risk Assessment Standards
1. SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures;
2. SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards;
3. SAS No. 106, Audit Evidence;4. SAS No. 107, Audit Risk and Materiality in Conducting an Audit;5. SAS No. 108, Planning and Supervision;6. SAS No. 109, Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement;7. SAS No. 110, Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence Obtained; and
8. SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling
Slide 13
Background
The objectives of the SASs are to improve audit effectiveness by requiring:
• A more in-depth understanding of the entity and its environment, including its internal control.
• More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the financial statements.
• A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks.
Slide 14
Significant Changes to Existing Practices
• Identifying and assessing the risks of material misstatements at both the financial statement level and the relevant assertion level by performing risk assessment procedures.
• Designing and performing tailored further audit procedures responsive to assessed risks at the relevant assertion level
• Linkage of audit procedures to the risk of material misstatement.
Slide 15
Overview of SASs
SAS No. 104, Amendment to SAS No. 1• SAS No. 104 expands the definition of
“reasonable assurance” as a “high level of assurance”
Slide 16
Overview of SASs
SAS No. 105, Amendment to SAS 95, Generally Accepted Auditing Standards
• “Internal control” replaces “the entity and its environment, including its internal control”
• “Further audit procedures” replaces “tests to be performed”
• “Audit evidence” replaces “evidential matter”• Reflects new usage of terms required by SAS
No. 102.
Slide 17
Overview of SASs
SAS No. 106, Audit Evidence(Amends SAS 31)
“The auditor must obtain sufficient audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.”
Slide 18
Overview of SASs
SAS No. 106, Audit Evidence• Audit evidence is all the information used by the auditor in
arriving at the conclusions on which the audit opinion is based and includes:– Entity’s accounting records,– Confirmations,– Minutes,– Industry reports,– Audit procedures such as inquiries, observations,
inspections, etc.
Slide 19
Overview of SASs
SAS No. 106, Audit Evidence (continued)• Categories of Management’s Assertions
a. Classes of transactions
b. Account balances
c. Presentation and disclosure
Slide 20
Overview of SASs
SAS No. 107, Audit Risk and Materiality(Amends SAS 47)
“The auditors should perform the audit to reduce audit risk to a low level that is (in his or her judgment) appropriate for expressing an opinion on the financial statements.”
Slide 21
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
• The auditor should consider audit risk at both:
a. Overall financial statement level
b. Assertion level
Slide 22
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
• Financial statement level risks include, for example:– Fraud– Incompetent management– Related party transactions
Slide 23
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
• At the account balance, class of transactions, or disclosure level, audit risk consists of: a. Combined risk assessment, which consists of:
1. Inherent risk2. Control risk
b. Detection risk
Slide 24
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
• The auditor should assess the risk of material misstatement at the relevant assertion level as a basis for further audit procedures.
• The auditor should have an appropriate basis for this assessment.
Slide 25
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
• The determination of materiality, both quantitative and qualitative, is a matter of professional judgment.
Slide 26
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
Tolerable Misstatement (or error)—is the maximum error in a population (e.g., the class of transactions or account balance) that the auditor is willing to accept.
Tolerable misstatement is used to design substantive procedures.
Slide 27
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
• The auditor should reassess the materiality determined during the planning process. Failure to do so may result in inadequate audit procedures.
Slide 28
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)• The auditor must accumulate:
a. Known misstatements - these are specific misstatements arising from the incorrect selection or misapplication of accounting principles or misstatements of facts identified during the audit.
b. Likely misstatements – these are misstatements that include:1. Audit differences involving auditing estimates and2. Projected misstatements based on extrapolation of
audit evidence.
Slide 29
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)Auditor’s responses to identified misstatements
Type of misstatement
Request management to:
Known Correct misstatements
Likely - estimates Examine accounts or class of transactions
Likely - projected Review assumptions and methods
Slide 30
Overview of SASs
SAS No. 107, Audit Risk and Materiality (continued)
• Evaluating audit findings – the auditor must consider the effect (individually and in the aggregate) of misstatements (known and likely) identified by the auditor that are not corrected by management.
• Document, document, document
Slide 31
Overview of SASs
SAS No. 108, Planning and Supervision(Amends SAS 1 and SAS 22)
“The auditor must adequately plan the work and must properly supervise any assistants.”
Slide 32
Overview of SASs
SAS No. 108, Planning and Supervision (continued)
• SAS No. 108 discusses:• Appointment of the independent auditor,• Establishing a written understanding with the client,• Preliminary engagement activities,• The overall audit strategy, • The audit plan, • Determining the extent of involvement of specialists,• Additional considerations in initial audit engagements.
Slide 33
Overview of SASs
SAS No. 109, Assessing Risks
“The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.”
Risk Assessment Overview
Fraud Risk Factors
Respond
Risk Assessment
New Process
Brainstorming
InquiriesAnalytical
Procedures
Other
Slide 35
Overview of SASs
SAS No. 109, Assessing Risks (continued)• Understanding the entity and its environment, including
its internal control.– Industry, regulatory, and other external factors– Nature of the entity– Objectives and strategies and the related business
risks that may result in a material misstatement of the financial statements
– Measurement and review of the entity's financial performance
– Internal control
Slide 36
Overview of SASs
SAS No. 109, Assessing Risks (continued)• The auditor should obtain a sufficient
understanding of internal controls to:
a. Evaluate the design of controls relevant to the audit,
b. Determine whether the controls have been implemented.
Slide 37
Overview of SASs
SAS No. 109, Assessing Risks (continued)• The auditor should perform risk assessment
procedures to obtain an understanding of internal control. Procedures include observation, inspection, or performing walkthroughs.
• Inquiry alone is not sufficient to evaluate the design of controls and whether they have been implemented.
Slide 38
Overview of SASs
SAS No. 109, Assessing Risks (continued)• The auditor should identify and assess the
risks of material misstatements at:
a. Financial statement level
b. The relevant assertion level
Slide 39
Overview of SASs
SAS No. 109, Assessing Risks (continued)• The auditor should use the risk assessment to
determine the nature, timing and extent of the further audit procedures to be performed.
• When the risk assessment is based on an expectation that controls are operating effectively, the auditor should perform tests of controls.
Slide 40
Overview of SASs
SAS No. 109, Assessing Risks (continued)
• Significant risks – Require special audit consideration– Different than high inherent risk– Often relate to significant nonroutine
transactions and judgmental matters
Slide 41
Overview of SASs
SAS No. 110, Performing Procedures(together with Assessing Risks amend SAS 55)
“The auditor must obtain sufficient appropriate audit evidence through audit procedures performed to afford a reasonable basis for an opinion regarding the financial statements taken as a whole.”
Slide 42
Overview of SASs
SAS No. 110, Performing Procedures (continued)
• SAS No. 110 provides guidance on:
a. Determining overall responses
b. Designing and performing further audit procedures
Slide 43
Overview of SASs
SAS No. 110, Performing Procedures (continued)
• The auditor should design and perform further audit procedures that are responsive to the assessed risk at the relevant assertion level.
• The purpose is to provide a clear linkage between the risk assessments and the further audit procedures.
Slide 44
Overview of SASs
SAS No. 110, Performing Procedures (continued)• Audit Approach
a. The auditor should have an appropriate basis for the audit approach.
b. Defaulting to a maximum control risk without an appropriate basis is no longer permitted.
c. Nature, timing, extent
Slide 45
Overview of SASs
SAS No. 110, Performing Procedures (continued)
• Test of controls must be tested:a. Auditor’s risk assessment includes an
expectation of the operating effectiveness of controls, or
b. Substantive procedures alone do not provide sufficient audit evidence
Slide 46
Overview of SASs
SAS No. 110, Performing Procedures (continued)• Test of Controls may be rotated
– The auditor should test the operating effectiveness of controls at least every three years in an annual audit
– The auditor should update his or her understanding to ensure controls have not changed
– If the auditor plans to rely on control that have changed, the auditor should test the controls
Slide 47
Overview of SASs
SAS No. 110, Performing Procedures (continued)
• If the auditor plans to rely on controls that mitigate significant risks, the auditor needs to test those controls in the current period, that is, these controls cannot be rotated.
Slide 48
Overview of SASs
• SAS 111, an amendment to SAS 39, Audit Sampling– Moves guidance from the appendix into the
body of the statement and into SAS 107– Also incorporates discussion from SAS 99
and SAS 110– Enhances guidance to the auditor about
his/her judgments related to tolerable misstatement
Slide 49
Overview of SASs
• The standards are effective date for audits of financial statements with periods beginning after 12/15/06 (Calendar 07, FY 08 audits)
• To assist implementation of the standards an audit guide will be issued.
• Read Audit Risk Alert entitled, Understanding the New Auditing Standards Related to Risk Assessment for a summary of the standards of highlights of significant changes
Slide 50
Exposure Draft – Reporting on an Entity’s Internal Control
• Applicable to and appropriate for examinations of the internal control of non-issuers
• Reflects guidance in PCAOB Auditing Standard #2• In other words, follow this standard when
management of a non-publicly traded company wants an opinion on internal control
• Comment period ends May 19, 2006• Probably will be effective upon issuance
Slide 51
Exposure Draft – Communication With Those Charged with Governance
• Proposed replacement for SAS 61, Communication with Audit Committees– Necessary due to the ramifications of the well-publicized
audit failures and the need for open communication between the auditor and those charged with governance
– Stresses the importance of communication being a two-way street
– It appears to take the current SAS 61 communication requirements, and adds more
– Comment period ends May 31, 2006– Proposed effective date is for audits of financial statements
for periods beginning after December 15, 2006
Slide 52
Exposure Draft – Communication of Internal Control Matters
• Communication of Internal Control Related Matters Noted in an Audit– Uses new definitions of what is to be reported as an internal
control finding, removing the term “reportable condition”, and now using the terms “control deficiency”, “significant deficiency” and revising the term “material weakness”
• A word to the wise here, it appears that the new definitions are much more broad than the old ones
– Requires the auditor to evaluate findings based upon which “severity bucket” (my term) the finding falls in
– Requires written communication of all significant deficiencies and material weaknesses (even those that have been reported to the entity previously) to management and those charged with governance
– Written communication should be made by the financial statement audit report delivery date, or at least, no later than 60 days following the report release date
Slide 53
Exposure Draft – Communication of Internal Control Matters
• Communication of Internal Control Related Matters Noted in an Audit– Inherent in this is that the auditor can’t be a part of
the entity’s COSO internal control framework for financial reporting without that involvement being considered at least a significant deficiency, which is more than likely also a material weakness, which would be reported to management and those charged with governance every year
– Proposed effective date is for audits of financial statements for periods ending on or after December 15, 2006 (but I think it will be changed)
Questions???