New Audit Risk Standards

Are You Ready?

John P. Langan, CPAPrincipal in ChargePublic Service GroupMetro, DC OfficeLarsonAllen LLP

2

Learning Objectives

• Gain a Historical Perspective on an Evolving Audit Approach • Receive an Overview of the New AICPA Audit Standards:

SAS 102-114• Share Implementation Experiences: SAS 103 & 112• Understand the Basic Concepts Inherent in the New Audit

Risk Standards SAS 104-111• Identify Specific Ways to Prepare for Addressing the

Standards with your Board, Management and Auditors• Receive Tools and Resources to Support Your Related

Responsibilities

3

Three Audience Perspectives

• Association Financial & Management Professionals• Public Accounting Professionals• Other Association Advisors

4

Historical Perspective

• Expectations “GAAP”• How Auditors Traditionally Audited Non-Profits • Treadway Commission & COSO• The Go-Go 90’s: For-Profit & Non-Profit Fraud • Fall of Arthur Andersen

5

Historical Perspective

• Statement on Auditing Standards No. 99-Active Consideration and Search for Fraud

• New Ethics Rules on Auditor Independence: AICPA,OMB • Sarbanes-Oxley For Public Companies: Rule 404• NFP Implications of Sarbanes-Oxley

– Rise in Audit Committees*– Whistle Blower, Document Retention, Conflict of Interest Policies– Increase in Audit RFP’s– Internal Audit Function– Risk Assessment & Monitoring

*Resource: (AICPA NFP Audit Toolkit www.aicpa.org)

6

Relevant Questions

• What &Where are the Risks of Fraud in NFPs?• What & Where are the Risks of Material Misstatement in

the Financial Statements? • Where do Management’s Responsibilities End and The

Auditor’s Begin?• How Can The Audit Process Be More Efficient &

Effective?

7

Overview of SAS 102-114

• Statements on Auditing Standards (SAS)• Released June 2006• Impact Audits For All Industries & Entities Not Just NFP’s• SAS 102 Defining Terms in Prior Statements• SAS 103 Audit Documentation/Report Dating• SAS 104-111 Risk Assessment Standards• SAS 112 Evaluating Control Deficiencies• SAS 113 Omnibus Statement Revising Prior Statements• SAS 114 Communications with Those Charged with

Governance. Supersedes SAS 61

8

Key Statements & Effective Dates

• SAS 103 & 112 Effective Years Ending On or After 12/31/06 • SAS 104-111 Effective Years Ending On or After 12/31/07• AICPA Risk Alert* Summarizes SAS 104-111

* Available on FAR Web Site: www.far-roundtable.org

9

SAS 103 & 112 Look-backKey ConceptsSAS 103• Sufficient Audit Documentation To Support Audit Opinion• Report Dating• 60 day audit file lock-downSAS 112• Communicate deficiencies in design and implementation

– Since we are assessing more control risks, we may have more control deficiencies to report

• Types of control deficiencies – Inconsequential deficiency (oral)– Significant deficiency (written- SAS 112 & Single Audit Findings)– Material weakness (written- SAS 112 & Single Audit Findings))

10

SAS 103 & 112 Look-back

SAS 103• More Timely Audit Reporting• Planning Counts (Auditor, Management, Audit

Committee)• Potential For The Never Ending Audit: Subsequent

Events/Updated Representations• Potential For Audit Committee Meetings “On The Fly”

SAS 112• Lack of Uniformity in Auditor Application• Reactions & Re-Audits: Speaker War Stories• Share Your Experiences: Auditor & Client

11

Primary Objective of New SASs

• A more in-depth understanding of the client and its environment, including its internal control

• More rigorous risk assessments

• A more direct link between identified risks and audit procedures performed

• Better communication of internal control matters

12

New Requirements For Your Auditor

• Trying to reduce the risk of material misstatement in the financial statements

• Must reduce overall audit risk to a level of “low”• Must obtain a sufficient understanding of the entity and its

environment, including internal control (walk-through, non-program inquiries)

• Must perform risk assessment procedures• Must link identified risks (e.g., inherent risks, control risks,

detection risks) to audit procedures• Must evaluate internal control for significant risks • Must test controls when relevant or necessary• Must communicate with those charged with governance

13

SAS 104-111

• SAS 104 Amends SAS 1 Due Professional Care • SAS 105 Amends SAS 95 Generally Accepted

Auditing Standards• SAS 106 Audit Evidence• SAS 107 Audit Risk & Materiality• SAS 108 Audit Planning & Supervision

14

SAS 104-111

• SAS 109 Understanding The Entity and Its Environment Assessing The Risks of Material Misstatements

• SAS 110 Performing Audit Procedures in Response to Assessed Risk and Evaluating the Audit Evidence Obtained

• SAS 111 Amends SAS 39 Audit Sampling

15

Risk Assessment What can go wrong in the financial statements?• Understand entity and environment• Understand risks of the entity• Understand the risks in financial reporting including and

beyond fraud• Understand internal controls designed to mitigate risks

– Entity-level controls (tighter written procedures)– Activity-level controls (coordination w/IT)

• Determine if controls have been implemented• Not just auditor inquiry• Corroborating evidence required (duplicate inquiries,

written documentation)

16

Key Concept: Supporting Financial Statement Assertions

You Must Support Financial Statement Assertions:

1. Occurrence and Existence

2. Rights and Obligations

3. Completeness

4. Accuracy, Valuation and Allocation

5. Cut-off

6. Classification and Understandability

See Matrix in AICPA Audit Risk Alert

(13 in Standards summarized as 6 above)

17

Key Concept: Supporting Assertions

Assertions Evaluated in Three Areas:

1. Classes of Transactions and Events During The Period

2. Account Balances at the End of the Period

3. Presentation and Disclosure

See Matrix in AICPA Audit Risk Alert

18

Gaining Understanding of Internal Control

Five components of the COSO Integrated Framework*:

1. Control Environment

2. Risk Assessment

3. Information and Communication Systems

4. Monitoring

5. Control Activities

*Executive Summary: Internal Control over Financial Reporting For Small Public Companies available on FAR Web Site:

www.far-roundtable.org

19

Gaining Understanding of Internal Control

• Internal control– Evaluate the design– Capable of effectively preventing, detecting, and

correcting material misstatements– Addresses significant risks and fraud risks

• Has been implemented– Actually exists and entity is using it– Aware of control and responsibility for performance– Working knowledge of how to perform– Inquiry alone not sufficient (e.g., walkthroughs)

• Include information technology controls• Include controls for service organizations utilized

20

Opportunity and Benefits

• Have you evaluated entity risks in a formal manner?• Have you designed and implemented control

procedures to address entity risks?• Understand your organization’s risks for material

misstatement of financial statements (not just fraud) and how your organization’s internal control reduces those risks (see sample Risk Assessment on FAR website).

• Results:– Improved risk management at your organization.– Potential changes to more efficient audit procedures.

21

What Can You Do To Prepare?

• Meet with your Auditors and plan for – Additional inquiries– Additional corroborating evidence– Additional documentation needed– Identification of documentation you currently have

• Educate your Management & Audit Committee with resources and tools identified

• Initiate an internal Risk Assessment and Monitoring Process to support the five elements of internal control and financial statement assertions

Questions & Discussion