1. The Changing World of �External Audit�An ASB Update��by Chuck Landes, CPA�AICPA VP Professional Standards�clandes@aicpa.org
3. Audit and Attest Standards Update�
Current ASB Projects
4. Audit and Attest Update�Clarity Project Statements of auditing standards would be reformatted as follows:
Objectives
Requirements
Application material
Issues:
Are the individual statements useful?
How to deal with superseded/revised versions?
Where and how often to use “must”? Should they be used outside of the 10 GAAS Standards?
5. Audit and Attest Update�Audit Reports Task force is considering changes to SAS 58 to determine the relevancy of the existing reporting requirements and language to nonissuers.
Audit Report Research Project – the objective is to research:
the “expectation gap”
how the audit report might be revised to better address the “expectation gap.”
6. Audit and Attest Standards Update
SAS 112,
Communicating Internal Control Related Matters Identified in an Audit
7. SAS 112 – Key Concepts The auditor cannot be part of a client’s internal control. Becoming part of a client’s internal control impairs the auditor’s independence.
What the auditor does (or does not do) is independent of the client’s internal control over financial reporting. Therefore, the auditor cannot be a compensating control for the client.
The client’s designation of an individual who possesses suitable skill, knowledge, and/or experience to oversee a service performed by the CPA (Ethics Interpretation 101-3 Performance of Nonattest Services) is not a control. Therefore, having such a designated person does not mean that the client does not have a control deficiency.
SAS No. 112 does not require the auditor to search for control deficiencies, but rather to evaluate them if they have been identified.
To properly apply SAS No. 112 the auditor has to have a working knowledge of the COSO framework. COSO’s Internal Control-Integrated Framework describes the elements of internal control over financial reporting.
8. SAS 112 Conforms definitions of control deficiency, significant deficiency, and material weakness to those in PCAOB AS#2 . The term significant deficiency replaces the term reportable condition
Requires written communication of significant deficiencies and material weaknesses to management and those charged with governance.
Should be communicated even if they were communicated in connection with previous audits
9. Old Definition from SAS 60 A material weakness is a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
10. New Definitions - SAS 112 Significant deficiency: A control deficiency, or combination of control deficiencies … such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.
Control deficiencies may involve one or more of five components of internal control
Material weakness : A significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.
11. SAS 112 Provides guidance on evaluating severity of control deficiencies based on likelihood and magnitude
Would misstatements or potential misstatements be “more than inconsequential”?
Rule of thumb > 20% of materiality but must also consider qualitative factors
Identifies control deficiencies that ordinarily are at least significant deficiencies, and
Indicators of control deficiencies that are at least a significant deficiency and a strong indicator of a material weakness
12. SAS 112 After evaluating severity of deficiency (control deficiency, significant deficiency, material weakness), auditor considers whether “prudent officials” having knowledge of same facts and circumstances would agree with auditor’s conclusion
Written communication required no later than 60 days following issuance of audit report
Provides illustrative written communications
Includes an appendix containing examples of circumstances that may be control deficiencies, significant deficiencies, or material weaknesses
13. Audit and Attest Standards Update
SAS 103, Audit Documentation
14. SAS 103 Although already effective, certain key changes resulting from SAS 103 may still be causing some questions:
60 day lockdown
5 year retention
Amended report dating
15. SAS 103 Assemble the final audit engagement file within 60 days following the report release date.
After 60 days – no deletion or discard of existing audit documentation
After 60 days – appropriately document subsequent additions
Minimum file retention period of five years from the report release date.
16. SAS 103 Dating of the auditor’s report:
Not earlier than the date on which the auditor has obtained sufficient appropriate evidence to support the opinion.
When do you have “sufficient appropriate evidence”?
When you are at a point that you would be comfortable signing the report and releasing to the client.
You may not need to have the management representation letter physically in hand to have sufficient appropriate audit evidence.
17. Practice Alert 2007-01 Practice Alert is available at http://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+Attest+Standards/Professional+Issues+Task+Force/pract_alerts.htm
18. Audit and Attest Update
Risk Assessment Standards
SASs 104-111
19. Risk Assessment Standards The risk assessment standards consist of:
SAS No. 104, Amendment to Statement on Auditing Standards No. 1
SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards
SAS No. 106, Audit Evidence
SAS No. 107, Audit Risk and Materiality in Conducting an Audit (Audit Risk and Materiality)
SAS, No. 108, Planning and Supervision
SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Assessing Risks)
SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Performing Procedures)
SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling
20. Risk Assessment Standards
Why issued? The ASB believes that the SASs represent a significant strengthening of auditing standards which in turn will improve the quality of audits conducted under these standards
Much of SAS 99 theory originated in our deliberations over risk assessment standards
21. Risk Assessment Standards Enhances the auditor’s application of the audit risk model in practice by requiring:
More in-depth understanding of the entity and its environment, including its internal control
More rigorous assessment of the risks of material misstatement
Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed
22. Risk Assessment Standards Enhances the auditor’s application of the audit risk model:
AR = [CR x IR] x DR
[CR x IR] = RMM
AR = Audit Risk
CR = Control Risk
IR = Inherent Risk
DR =Detection Risk
RMM = risk of material misstatement
23. Risk Assessment Standards The quality and depth of the required understanding of the entity and its environment, including its internal control, is significantly enhanced
Aspects of the Entity’s Environment1
Industry, regulatory, and other external factors
Nature of the entity
Objectives and strategies and related business risks
Measurement and review of the entity’s financial performance
Internal control
1SAS 109, Assessing Risks, paragraphs 21 - 101
24. Risk Assessment Standards Internal Control Framework is unchanged
25. Risk Assessment Standards Internal Control
New requirement – auditors should obtain a sufficient understanding to:
Assess strength of design of controls
Determine whether controls were placed in operation
26. Risk Assessment Standards The auditor should assess the risks of material misstatement at the financial statement level and at the relevant assertion level on all audits based on the understanding obtained
27. Risk Assessment Standards Levels of Audit Risk
Financial Statement
Account/Assertion– defined by the audit risk model (AR = IR X CR X DR)
28. Risk Assessment Standards New Assertion Framework
29. Risk Assessment Standards Identifying risks through considering
The entity and its environment, including its internal control
Classes of transactions, account balances, and disclosures
Relating the identified risks to what could go wrong at the relevant assertion level
Significant risks1
1SAS 109, Assessing Risks, paragraphs 102-121
30. Risk Assessment Standards
31. Risk Assessment Standards The auditor should have an appropriate basis for his/her audit approach. Default to maximum for control risk assessment is disallowed.1
1SAS 110, Performing Procedures, paragraph 8
32. Risk Assessment Standards Testing of controls is encouraged
The requirement to link assessed risks and the audit procedures responsive to those risks is improved
Risk assessment is a continuous process, not a series of discrete stages
33. Risk Assessment Standards Perform further audit procedures that are clearly linked to risks at the relevant assertion level by:
Performing tests of the operating effectiveness of controls
Performing substantive procedures
Evaluating the adequacy of presentation and disclosure1
1SAS 110, Performing Procedures SAS, paragraphs 23-68
Evaluate whether sufficient competent audit evidence has been obtained2
2SAS 110, Performing Procedures, paragraphs 70-76
34. Risk Assessment Standards
Greater emphasis is placed on testing of disclosures
Guidance on evaluating audit findings is clarified and expanded
Documentation requirements are significantly expanded
35. Risk Assessment Standards Iron Curtain/Rollover Issue
In evaluation of audit findings, the auditor should consider the effects of misstatements related to prior periods.1
1SAS 107, Audit Risk and Materiality, paragraphs 52 and 53.
36. Risk Assessment Standards Iron Curtain/Rollover Issue
The guidance in SAS 107 is neutral1
ASB is waiting for FASB to issue guidance with respect to this issue
SEC issued SAB 108 to address issue for audits of public companies (not applicable to audits of nonissuers)
Many client and audit methodologies will be impacted
1Paragraph 53 of SAS 107, Audit Risk and Materiality
37. Risk Assessment Standards SAS 104 amends SAS 1 to clarify that “reasonable assurance” is a “high level of assurance”
SAS 108 requires that auditors obtain a written understanding with the client, i.e. engagement letter.
Ordinarily sample sizes for non-statistical samples are comparable to sample sizes for an efficient and effectively designed statistical sample with the same sampling parameters.
All eight standards are effective for all audits of periods beginning after December 15, 2006
38. Risk Assessment Standards Resources available
Audit Guide – Assessing and Responding to Audit Risk in a Financial Statement Audit
Audit Risk Alert – Issued in March 2006
CPE Courses
39. Audit and Attest Standards Update
SAS No.114,
The Auditor’s Communication with
Those Charged With Governance
40. SAS 114 Supersedes SAS 61, Communication with Audit Committees
Applies to audits of all non-issuers
The auditor must communicate with those charged with governance significant audit matters relevant to the responsibilities of those charged with governance in overseeing the financial reporting process
41. SAS 114 Those charged with governance = those responsible for overseeing the strategic direction of the entity and obligations related to the accountability of the entity, including overseeing the entity’s financial reporting process.
Management = Those responsible for achieving the objectives of the entity who have the appropriate authority. Management is responsible for the financial statements, including designing, implementing, and maintaining effective internal control over financial reporting.
42. SAS 114 Requires the auditor to determine the appropriate persons with whom to communicate particular matters.
May be different based on the matters to be communicated.
Encourages the use of professional judgment in deciding with whom to communicate particular matters.
43. SAS 114 Required to communicate:
The auditor’s responsibilities under GAAS
Auditor responsible for forming and expressing opinion
Does not relieve management or those charged with governance of their responsibilities
Audit designed to obtain reasonable, not absolute, assurance
Includes consideration of internal control, but not an opinion on its effectiveness
An overview of the planned scope and timing of the audit
Be careful not to compromise effectiveness of the audit
Considerations when all or substantively all of those charged with governance are involved in managing the entity:
If you communicated matters required by this statement to people in management, and those same people are charged with governance, you don’t have to tell them the same things twice.
Don’t have to tell those charged with governance matters that relate to oversight (see below) because there is no oversight separate from management. (although this is probably covered by no. 1 above)
The three major categories that auditors are required to communicate are (with details)
The auditor’s responsibilities under GAAS
Performing the audit in accordance with GAAS
Forming and expressing an opinion on the financial statements
Communicating relevant significant matters
Planned scope and timing of the audit
Approach to significant risk of material misstatement
Concept of materiality
Significant findings from the audit
Qualitative aspects of entity’s accounting practices
Significant difficulties
Uncorrected misstatements
Disagreements with management
Other relevant issues
And, unless all those charged with governance are involved in management
Material corrected misstatements
Representations requested from management
Management’s consultation with other accountants
Significant issues discussed in connection with retentionConsiderations when all or substantively all of those charged with governance are involved in managing the entity:
If you communicated matters required by this statement to people in management, and those same people are charged with governance, you don’t have to tell them the same things twice.
Don’t have to tell those charged with governance matters that relate to oversight (see below) because there is no oversight separate from management. (although this is probably covered by no. 1 above)
The three major categories that auditors are required to communicate are (with details)
The auditor’s responsibilities under GAAS
Performing the audit in accordance with GAAS
Forming and expressing an opinion on the financial statements
Communicating relevant significant matters
Planned scope and timing of the audit
Approach to significant risk of material misstatement
Concept of materiality
Significant findings from the audit
Qualitative aspects of entity’s accounting practices
Significant difficulties
Uncorrected misstatements
Disagreements with management
Other relevant issues
And, unless all those charged with governance are involved in management
Material corrected misstatements
Representations requested from management
Management’s consultation with other accountants
Significant issues discussed in connection with retention
44. SAS 114 Required to communicate (con’t):
Significant findings from the audit
Qualitative aspects of significant accounting policies
Significant difficulties, if any, encountered
Uncorrected misstatements
Disagreements with management
Other significant and relevant findings or issues
Material corrected misstatements
Management representations requested
Management’s consultation with other accountants
Significant issues discussed with management
Considerations when all or substantively all of those charged with governance are involved in managing the entity:
If you communicated matters required by this statement to people in management, and those same people are charged with governance, you don’t have to tell them the same things twice.
Don’t have to tell those charged with governance matters that relate to oversight (see below) because there is no oversight separate from management. (although this is probably covered by no. 1 above)
The three major categories that auditors are required to communicate are (with details)
The auditor’s responsibilities under GAAS
Performing the audit in accordance with GAAS
Forming and expressing an opinion on the financial statements
Communicating relevant significant matters
Planned scope and timing of the audit
Approach to significant risk of material misstatement
Concept of materiality
Significant findings from the audit
Qualitative aspects of entity’s accounting practices
Significant difficulties
Uncorrected misstatements
Disagreements with management
Other relevant issues
And, unless all those charged with governance are involved in management
Material corrected misstatements
Representations requested from management
Management’s consultation with other accountants
Significant issues discussed in connection with retentionConsiderations when all or substantively all of those charged with governance are involved in managing the entity:
If you communicated matters required by this statement to people in management, and those same people are charged with governance, you don’t have to tell them the same things twice.
Don’t have to tell those charged with governance matters that relate to oversight (see below) because there is no oversight separate from management. (although this is probably covered by no. 1 above)
The three major categories that auditors are required to communicate are (with details)
The auditor’s responsibilities under GAAS
Performing the audit in accordance with GAAS
Forming and expressing an opinion on the financial statements
Communicating relevant significant matters
Planned scope and timing of the audit
Approach to significant risk of material misstatement
Concept of materiality
Significant findings from the audit
Qualitative aspects of entity’s accounting practices
Significant difficulties
Uncorrected misstatements
Disagreements with management
Other relevant issues
And, unless all those charged with governance are involved in management
Material corrected misstatements
Representations requested from management
Management’s consultation with other accountants
Significant issues discussed in connection with retention
45. SAS 114 Communicate the form, timing and expected content of communications.
Communicate significant findings in writing if oral communication would not be adequate.
Other communications may be oral or written.
Requirement to evaluate the two-way communication between the auditor and those charged with governance.
46. SAS 114 Document significant matters communicated.
Communicate events or conditions that indicate that there could be substantial doubt about the entity’s ability to continue as a going concern.
Effective date = periods beginning on or after December 15, 2006.
47. Quality Control Exposure Draft Requires a firm’s system of quality control to address each of the following elements:
Leadership responsibilities for quality within the firm (“tone at the top”);
Independence, integrity, objectivity, and other legal and ethical requirements;
Acceptance and continuance of client relationships and specific engagements;
Human resources (formerly Personnel Management);
Engagement performance and engagement documentation; and
Monitoring.
48. Quality Control Exposure Draft Requires a firm to document its quality control policies and procedures. The extent of the documentation is based on the size, structure and nature of the firm’s practice.
Recognizes the importance of a quality-oriented internal culture, and requires firms to assign its management responsibilities so that commercial considerations do not override the objectives of the system of quality control, and to design its policies and procedures addressing personnel performance evaluation, compensation and promotion to demonstrate the firm’s overarching commitment to quality.
Provides more detailed guidance on independence, and requires a written confirmation of compliance with independence requirements from all firm personnel at least annually.
A firm may obtain this confirmation on an engagement-by-engagement basis.
49. Quality Control Exposure Draft Provides more detailed guidance on client acceptance and continuance, and requires documentation of the resolution of significant issues.
Provides more detailed guidance on engagement supervision and review, engagement documentation, and consultation policies and procedures.
Requires policies and procedures for resolving differences of opinions, including a requirement that reports must not be issued until the differences of opinions are resolved.
Requires annual monitoring procedures, which include one or more of the following:
Engagement quality control reviews.
Post-issuance reviews.
Inspection procedures.
50. Quality Control Exposure Draft The proposed SQCS defines the engagement quality control review (often referred to as a concurring review), and requires firms to establish criteria to determine which engagements are to be subject to an engagement quality control review. It also provides guidance on policies and procedures for performing engagement quality control reviews.
51. Audit and Attest Standards Update
Proposed Revisions of AT 501
52. Proposed Revisions of AT 501 January 2006: ASB issues ED Revising AT 501
ED incorporated elements of PCAOB AS2
May 2006: PCAOB announces plans to amend AS2
ASB defers issuance of revised AT 501
Staff makes interim conforming changes to AT 501 to avoid inconsistencies with SAS 112
53. Proposed Revisions of AT 501 Requires a scope of work similar to PCAOB AS2 when engaged to examine the design and operating effectiveness of internal control over financial reporting
Contains reporting guidance when scope of internal control has been expanded, for example, examinations of internal control of insured depository institutions subject to internal control reporting requirements of FDICIA
54. Proposed Revisions of AT 501 Like SAS 112, requires practitioner, after concluding on severity of deficiency, to consider whether “prudent officials” would agree with practitioner’s conclusion.
Contains examples that depict how a practitioner might evaluate the significance of an account and respond to that evaluation.
Allows practitioner to report on only design effectiveness of internal control. Then audited financial statements are not required.
55. Proposed Revisions of AT 501 Requires a written communication to management and those charged with governance regarding:
Significant deficiencies and material weaknesses that exist as of the date of management’s assertion
Significant deficiencies and material weaknesses that existed during the examination period and were remediated prior to the date of management’s assertion
Any known or suspected fraud
56. Proposed Revisions of AT 501 New appendixes:
Examples of circumstances that may be control deficiencies, significant deficiencies, or material weaknesses
Illustrative report that management must provide to external parties if the practitioner’s report is to be for general use
Illustrative written communication to those charged with governance
57. Proposed Revisions of AT 501 Project on hold until PCAOB AS5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, is finalized
58. Audit and Attest Standards Update�Other Current ASB Projects
Related Parties
Required Supplementary Information/Supplementary Information
Revisions to SAS No. 70
Revisions to auditing estimates and fair value
Revisions to SAS 69, GAAP hierarchy
Guidance issued on fair value of alternative investments and FIN 48
59. 13703 - Mike Polk, Hispanic Townhall - 9-27-02 10/17/2011 10:25 PM 59 ���To order the standards and keep abreast of the Audit and Attest Standards Team activities, please visit our website:� � http://www.aicpa.org���If you have any technical questions, please call our Hotline: � � (888) 777-7077
60. 13703 - Mike Polk, Hispanic Townhall - 9-27-02 10/17/2011 10:25 PM 60 Questions?
