1 / 28

SAS 117: The New Auditing Standard on Compliance

SAS 117: The New Auditing Standard on Compliance. May 11, 2010 Eric Formberg, Plante & Moran, PLLC Randy Roberts, AZ Auditor General Office . What This Session Will Cover. What the new Compliance Audit SAS will require

barbie
Download Presentation

SAS 117: The New Auditing Standard on Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAS 117:The New Auditing Standard on Compliance May 11, 2010 Eric Formberg, Plante & Moran, PLLC Randy Roberts, AZ Auditor General Office

  2. What This Session Will Cover • What the new Compliance Audit SAS will require • How a compliance audit differs from the financial statement portion of an audit • Insight on how to implement the compliance audit requirements • Questions

  3. What the New Standard Will Do Supersedes AU section 801, Compliance Auditing Considerations . . . (SAS 74) Uses new clarity format Effective for audits of periods ending June 15, 2010 and later

  4. What the New Standard Will Do Address some of the recommendations in the PCIE’s study on single audit quality Clarify its applicability Update for changes in the compliance audit environment Clarify that, and which, generally accepted auditing standards apply to the compliance portion of an audit Identify auditor requirements and provide guidance that are unique to a compliance audit Update the elements to be included in an auditor’s report on compliance for current standards

  5. New Compliance SAS – Content • Intro and Applicability • Objectives • Definitions • Requirements and Guidance

  6. This new SAS applies when all of the following are required: Generally accepted auditing standards (GAAS) Financial audit standards for Government Auditing Standards A governmental audit requirement that requires the auditor to express an opinion on compliance Applicability

  7. Applicability Examples Requirement • Single Audit (A-133) • HUD Guide audit • State Grant • State law to determine that gas tax monies spent for road purposes • Bond monies spent per debt covenants Type of engagement • Compliance audit (AU801) • Compliance attestation (AT601) • Agreed-upon procedure (AT101) • “In connection with” (AU623.01.c)

  8. Objectives • Obtain sufficient appropriate audit evidence to form an opinion and report at the level specified by the government audit requirement on whether the entity complied in all material respects with the applicable compliance requirements • Identify audit and reporting requirements specified in the governmental audit requirement that are supplementary to GAAS and GAGAS, if any, and perform procedures to address those requirements.

  9. Definitions • Terms Unique to Compliance Audit Environment • Applicable Compliance Requirements • Governmental Audit Requirement • Compliance Audit • Terms Adapted for Compliance Audit Environment from Financial Audit Standards • Audit Risk of Noncompliance • Risk of Material Noncompliance • Significant Deficiency in Internal Control over Compliance • Material Weakness in Internal Control over Compliance

  10. Definitions – Examples • Applicable compliance requirements • Risk of material noncompliance F/S = materially accurate Compliance =

  11. Requirements Adapt and apply AU sections to compliance objectives • Appendix has the laundry list, but what’re the key ones? • Materiality • Risk assessment process • Gotta do the tests – internal controls, tests of compliance, analytical procedures – sufficient to give an opinion • Reporting • Documentation

  12. Materiality • Materiality set based on governmental audit requirement, GAAS and GAGAS supplement how • Different levels of materiality • Different nature • Unique qualitative & quantitative factors

  13. Risk Assessment Procedures • Gaining an understanding • First, which programs, which requirements? • Inquiries, past experience, federal regulations • What are the risk factors? • Newness, complexity, knowledge, nature of services, level of oversight, past external and internal reports, management's corrective actions • What are the internal controls? • Five elements of COSO for complianceobjectives

  14. Risk of Material Noncompliance • Factors relative to the applicable compliance requirements when assessing this risk: • Complexity • Susceptibility to noncompliance • Length of time the entity has been following them • The auditor’s observations about the entity’s compliance in prior years • The potential effect on the entity of noncompliance • The degree of judgment involved to adhere to them • The auditor’s assessment of the risks of material misstatement in the financial statement audit • Design and implementation of relevant internal controls

  15. Matching Controls with Related Risks Controls over compliance – Controls with a purpose! • Value of control dependent on compliance risk it offsets • Risk assessment process • Identify compliance risk • Identify control(s) that reduce risk • Determine if risk is reduced sufficiently (a relatively low level) • Do deficiencies exist? Impact on compliance tests? DOCUMENT YOUR THINKING! • Are tests of control effectiveness “necessary”? • Governmental audit requirement (A-133) • Reduce overall audit effort to issue an opinion

  16. Match Game

  17. F/S: Look at both overall and assertion level; Respond to risks at both Compliance: Trip across what affects multiple programs/ requirements; Respond to overall risk Performing Further Procedures • Pervasive risks – how it’s different than a F/S audit • Examples: • Centralized recordkeeping with poor internal controls • Tone at the Top suggests lack of concern for compliance • Overall grants management centered on one individual • Decentralized operation with no monitoring

  18. Performing Further Procedures • Tests of compliance • Tests of details, tests of transactions • Tests of internal control, if: • Risk assessment is based on expectation that controls are operating effectively • Substantive procedures alone won’t provide sufficient appropriate audit evidence, or • Required by governmental audit requirement • Portions of AU 318 related to evidence of operating effectiveness obtained in prior audits are not applicable to compliance audits

  19. Performing Further Procedures • New chapter about sampling in Government Auditing Standards and A-133 Audit Guide • Perform any supplementary audit requirements • e.g., specific procedures to identify major programs • e.g., assess reasonableness of summary schedule of prior audit findings • Where analytical procedures fit in • For planning • As tests of compliance • Other evidence

  20. How Does Fraud Fit In? • It does! .. Focus - Impact of Fraud Risks on noncompliance • Fraud Triangle in a compliance environment • Example Areas of Concern • Funding pressure • Maximizing reimbursement • Job security • Program or Participant Utilization • Compliance “world” often a separate part of the entity • “Power” of the journal entry! • SAS 99 documentation requirements apply • Hot Topic………ARRA concerns

  21. Forming an Opinion • Do you have enough relevant evidence to determine whether an entity materially complied? Consider: • The frequency of the noncompliance • The nature of the noncompliance • The adequacy of the entity’s system for monitoring compliance • Whether any identified noncompliance resulted in likely questioned costs that are material to the government program

  22. Forming an Opinion • Making the decision about material noncompliance • Is it big enough (per the governmental audit requirement [GAR]) to be: • A finding? • Material to the requirement? • Material to the program? • Look to the GAR – could be noncompliance, internal control deficiencies, questioned costs • $ or % for monetary transactions (e.g., cost principles, cash management); # or % for nonmonetary (e.g., eligibility, reporting) • Significance of requirement to program; degree to which requirement was not complied with

  23. Subsequent events • Financial statement audits versus compliance audit

  24. Reporting and Reports • Reporting • Opinion on compliance • Other required reporting per the governmental audit requirement (e.g., instances of noncompliance, internal control deficiencies, questioned costs) • Reports • Report on compliance • Report on internal controls • Can be combined

  25. Documentation • All of AU section 339 applies • Key areas: • Risk assessment procedures • Response to risk of material noncompliance • Materiality levels used and the basis on which they were determined • Can there be more than one? • How should it be applied to specific requirements? • Compliance with supplemental audit requirements • No expectation to document how the auditor adapted and applied every applicable AU section

  26. Reissuing a Compliance Report Hopefully, this never happens to you! • Explanatory paragraph describing reason for reissuance or report and changes made • Dating • Update if all programs affected • Dual date if not all programs affected • A need to reissue auditor-prepared documents referred to in the compliance report is considered to be a reissuance of the report itself

  27. AICPA Audit Resources • Auditing & Accounting Guides will continue to be important for meeting standards for Single Audits • Government Auditing Standards and Circular A-133 • State & Local Governments 27

  28. Questions ?????

More Related