520 likes | 737 Views
Nonprofit Risk Management Center Money & Mission April 26,2005. Audits: “Everything” You’ll Ever Need to Know About Audits Presented by: Rob Leslie, CPA (602) 264-6835. Audits: “Everything” You’ll Ever Need to Know About Audits. Discussion Topics What is the purpose of an audit?
E N D
Nonprofit Risk Management CenterMoney & Mission April 26,2005 Audits: “Everything” You’ll Ever Need to Know About Audits Presented by: Rob Leslie, CPA (602) 264-6835
Audits: “Everything” You’ll Ever Need to Know About Audits • Discussion Topics • What is the purpose of an audit? • Audit Reports and the Regulatory Environment • Internal Controls • SAS 99
What is the purpose of an audit? Generally most NPO’s are receiving an audit for their Financial Statements
What an audit is: A report on the financial statements of the organization taken as a whole Tests and analysis of a “sample” of balances and or transactions based on certain standards Application of materiality concepts What an audit is not: A complete examination of every transaction of the organization An examination of the internal controls of the organization An examination designed to detect fraud What is the purpose of an audit?
Audits: “Everything” You’ll Ever Need to Know About Audits EXAMPLE AUDIT REPORTS
Audit Reports and the Regulatory Environment KEY TERMS AND DEFINITIONS • GAAP • FASB • GASB • AICPA • GAAS • GAGAS
Audit Reports and the Regulatory Environment KEY TERMS AND DEFINITIONS • Generally Accepted Accounting Principles • Financial Accounting Standards Board • Governmental Accounting Standards Board • American Institute of Certified Public Accountants • Generally Accepted Auditing Standards • Generally Accepted Governmental Auditing Standards
FASB AICPA US GODS TITANS MORTALS Audit Reports and the Regulatory Environment
Audit Reports and the Regulatory Environment AUDIT APPROACH AND FRAMEWORK
Audit Reports and the Regulatory Environment AUDIT REPORT ANALYSIS
Audit Reports and the Regulatory Environment • FIRST PARAGRAPH (SCOPE) • We have audited the accompanying statement of financial position of Example NPO, Inc.at June 30, 2004, and the related statements of activities, functional expenses and cash flows for the year then ended. These financial statements are the responsibility of the management of Example NPO,Inc. Our responsibility is to express an opinion on these financial statements based on our audit. The prior year summarized comparative information has been derived from the Example NPO, Inc.2003 financial statements which were audited by other auditors whose report dated August 27, 2003 expressed an unqualified opinion on these financial statements.
Audit Reports and the Regulatory Environment • SECOND PARAGRAPH • We conducted our audit in accordance with U.S. generally accepted auditing standards. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audit provides a reasonable basis for our opinion.
Audit Reports and the Regulatory Environment • THIRD PARAGRAPH (OPINION) • In our opinion, the 2004 financial statements referred to above present fairly, in all material respects, the financial position of Example NPO, Inc. at June 30, 2004, and the changes in its net assets and its cash flows for the year then ended in conformity with U.S. generally accepted accounting principles. • Phoenix, Arizona • October 10, 2004
Audit Reports and the Regulatory Environment • Other considerations: • Measurement GAAP • balances • Disclosure GAAP • Footnotes • Professional Judgment • Professional Skepticism
Audit Reports and the Regulatory Environment • Other types of audits that may effect NPO’s • Internal controls • Single Audit Act (OMB Circular A-133) • Forensic • Processing systems (SAS 70)
Audit Reports and the Regulatory Environment • Other reporting considerations • Report Modifications (qualified opinion) • Audit findings • Material weaknesses • Reportable conditions • Management Letter Comments • Report to Audit/Finance committees
Audits: “Everything” You’ll Ever Need to Know About Audits INTERNAL CONTROLS
Internal Controls • Changing Environment • Sarbanes Oxley Act • Audit committees • AICPA Tools • Other applications to NPO’s • PCAOB • New standards – Audit Reports • Firm inspections • Tone at the Top
Internal Controls • Changing Environment • State Regulations • What are the states doing?
Internal Controls • INTERNAL CONTROLS • Defined • SOA – sections 302 and 404 • Internal Control Maturity Assessment • Internal Control Evaluation Process
Internal Control - Definition The SEC believes “that the purpose of internal controls and procedures for financial reporting is to ensure that companies have processes designed to provide reasonable assurance that: • the company's transactions are properly authorized; • the company's assets are safeguarded against unauthorized or improper use; and • the company's transactions are properly recorded and reported to permit the preparation of the registrant's financial statements in conformity with generally accepted accounting principles.” We believe that these objectives are embodied in the definition of the term "internal controls" as the term is defined in AICPA Codification of Statements on Auditing Standards (AU) Section 319 and is consistent with Section 103 of the Sarbanes-Oxley Act. The final rules define “internal control over financial reporting” as: A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
Internal Control – Definition (Continued) (1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant; (2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements. The SEC also recognizes that COSO concepts are also embodied in this definition. Many companies in the planning stages have elected to follow COSO as a framework.
Internal Controls, SAS 99 and Issues on Fraud Planning for SOA 404 Compliance • Familiarize Yourself with Sarbanes-Oxley Section 302 & 404 • Conduct Assessment of Current Internal Control Situation • Obtain Senior Management (CEO, CFO, Chief Legal Counsel) Commitment to Legal Compliance • Form a Steering Committee • Familiarize and Select an Internal Control Framework - COSO • Form a Project Team • Define Scope and Plan the Project • Assess the Entity Level Risk Assessment and Control Environment • Build a Control Objective, Risk and Internal Control Repository • Define Key Control Objectives & Associated Risks • Identify Existing Control Activities Against Control Objectives • Identify Control Deficiencies and Implement Action Plans For Remediation • Perform Initial and Ongoing Tests • Develop Periodic Monitoring & Reporting Process • Independent Public Accountants’ Review
Internal Controls, SAS 99 and Issues on Fraud SOA – Sections 302 and 404 • Section 302 • Responsible for establishing and maintaining disclosure controls and procedures to ensure that material information is made known during the report period. • Evaluate the disclosure controls and procedures within 90 days of report and present conclusions on their effectiveness. • Identify and report all significant deficiencies in the design and operation of internal controls relating to financial reporting. • Report any fraud that involves a person with a significant role in the issuer’s internal controls. • Report any significant changes in internal controls. • Section 404 • State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. • Contain an assessment, as of the end of the fiscal year, of the effectiveness of the internal control structure and procedures for financial reporting. • The public accounting firm that issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. Any such attestation shall not be the subject of a separate engagement.
Internal Controls Internal Control Maturity Assessment
Not Reliable • Minimal Controls Exist • Are Not Documented • Risks Unknown • Little Oversight • Numerous Surprises • Informal • Controls Exist • Are Not Documented • Risks Unknown • Little Monitoring • Periodic Surprises • Documented • Controls Exist • Are Documented • Informal Risk Assessment • Some Monitoring • Some Surprises • Regular Monitoring • Controls Exist • Are Documented • Formal Risk Assessment • Monitoring Program • Surprises Detected • Predictable • Controls Exist • Are Documented • Regular Risk Assessment • Continuous Monitoring • Surprises Prevented • Not Reliable • Management unable to assert • No attestation can be provided • Substantial training, documentation and management effort is required to remediate • Informal • Management assertion is very risky • Attestation will require substantial public accountant evaluation and testing • Substantial training, documentation and outside monitoring required • Documented • Management assertion possible with a medium degree of confidence • Attestation will require substantial time from the public accountant due to lack of periodic monitoring • Training business unit management to build monitoring program; some outside monitoring • Regular Monitoring • Management assertion with strong degree of confidence • Attestation will require moderate amount of public accountant time • Line management are the primary reporters about risk and control effectiveness • Predictable • Management assertion at any point of time – continuous feedback • Attestation requires minimal public accountant time as feedback information is continuously made available • Control portfolio is optimized reducing cost of compliance
Not Reliable • Minimal Controls Exist • Are Not Documented • Risks Unknown • Little Oversight • Numerous Surprises • Informal • Controls Exist • Are Not Documented • Risks Unknown • Little Monitoring • Periodic Surprises • Documented • Controls Exist • Are Documented • Informal Risks Assessed • Some Monitoring • Some Surprises • Regular Monitoring • Controls Exist • Are Documented • Formal Risk Assessment • Monitoring Program • Surprises Detected • Predictable • Controls Exist • Are Documented • Regular Risk Assessment • Continuous Monitoring • Surprises Prevented • Observations: • Most companies fall into the informal and documented categories. As a result, public accountants have historically not placed a great deal of reliance on internal controls to plan their audit procedures for rendering an opinion on the fairness of financial reporting. • Sarbanes-Oxley now requires companies to move to the regular monitoring or predictable maturity levels to meet regulatory and shareholder expectations. • If done properly, the cost of assurance can be reduced as expensive substantive testing is minimized. • Implications: • Responsibility for establishing a strong internal control environment must be accepted by the CEO, CFO, Senior and Business Unit management and the Board of Directors. • Tools, training and technology should be provided to senior management to properly set the entity-wide control environment and understand risk and internal control concepts. • Tools, training and technology must be provided to business unit management to adequately document, evaluate, monitor and test the internal control environment. Personnel in all functions now become the “primary reporters” on internal control adequacy and effectiveness. • The approach of the internal audit changes. Rather than being the primary reporter, internal audit personnel now train operating management on risk and control concepts and facilitate/assist with the design and improvement process. They continue to test managements’ assertion and ensure the process has integrity. • The external audit approach changes. Reliance on internal controls is required. Evaluation, testing and reporting is more open and shared with management, the Audit Committee and internal audit staff.
COSO defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" in 3 categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. COSO further states that internal control over each of these objectives consists of the control environment, risk assessment, control activities, information and communication, and monitoring. • Control Environment • Sets tone of organization-influencing control consciousness of its people. • Factors include integrity, ethical values, competence, authority, responsibility. • Foundation for all other components of control. • Monitoring • Assessment of a control system’s performance over time. • Combination of ongoing and separate evaluation. • Management and supervisory activities. • Internal audit activities. Risk Assessment Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives- forming the basis for determining control activities. • Information and Communication • Pertinent information identified, captured and communicated in a timely manner. • Access to internal and externally generated information. • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. • Control Activities • Policies/procedures that ensure management directives are carried out. • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
Internal Control Evaluation Process Identify Key Accounts & Disclosures What are the significant balance sheet and income statement accounts? What are the other important financial reporting disclosures? Identify Key Business Processes What are the significant processes and sub-processes that give rise to financial statement information? Identify Significant Risks Using reporting assertions, what can go wrong? Determine likelihood and potential impact. Document Internal Controls What are the entity level controls? What are the process level controls that prevent or detect errors ? Identify Missing Controls or Unmatched Risks What risks are not managed? What controls are missing? Test Key Controls Design testing procedures to determine if controls are operating effectively. Summarize and Report Summarize internal control information and testing results. Prepare internal and external reports.
Audits: “Everything” You’ll Ever Need to Know About Audits SAS 99
The New Fraud Standard SAS No. 99 Consideration of Fraud in a Financial Statement Audit
Overview • Why was SAS 99 issued? • Major provisions of SAS 99. • Responsibilities with respect to fraud. • New required procedures. • Required inquiries of management and others. • Antifraud programs and controls. • Concluding remarks.
Why Was SAS 99 Issued? • Research indicates fraud is a serious problem. • Recent events have placed greater importance on detecting fraud. • Increased scrutiny of financial information because of highly publicized frauds. • Concern over audit quality. • The accounting profession has been working on guidance to enhance auditor performance since 2000. • SAS 99 represents the culmination of years of work devoted to improving the likelihood that auditors will detect material misstatements due to fraud.
Major Provisions of SAS 99 • Responsibilities for fraud unchanged. • Emphasis on professional skepticism. • Focus on identifying and responding to fraud risks. • Additional procedures now required. • Effective for audits of financial statements for periods beginning on or after December 15, 2002.
Responsibilities with Respect to Fraud • SAS 99 does not change the auditor’s responsibility for fraud detection. • Auditors have a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. • SAS 99 does not change the company’s responsibility with respect to fraud. • Management continues to be responsible for designing and implementing company programs and controls to prevent, deter, and detect fraud.
New Required Procedures • Increased procedures in early stage of the audit to identify fraud risks, including: • Making inquiries of management and others regarding fraud. • Gathering additional information to identify fraud risks. • Analytical review of revenue. • Other procedures to respond to identified fraud risks. • Procedures to address management’s ability to override internal controls.
Required Inquiries ofManagement and Others • Management. • Owner. • President or CEO. • Chief financial officer. • Controller. • Audit Committee. • Or audit committee chair. • Internal audit. • Other company employees.
Inquiries of Management • Required to ask about - • Whether you know of any fraud or have suspicions of fraud affecting the company. • Whether you are aware of any allegations of fraud or suspected fraud affecting the company. • Your understanding of the risks of fraud within the company. • How you communicate to employees the importance of ethical behavior and appropriate business practices. • Programs and controls that have been implemented to address identified fraud risks or otherwise help prevent, deter, and detect fraud and how those programs and controls are monitored. • The susceptibility of operating locations to fraud and how those locations are monitored. • Whether you have reported to the audit committee about how the company’s internal control serves to prevent, deter, and detect material misstatements due to fraud.
Inquiries of Audit Committee and Internal Auditors • Required to ask audit committee about – • Their views about the risks of fraud within the company and whether they have knowledge of any actual or suspected fraud. • Their role in overseeing the company’s fraud risk assessment and monitoring process. • Required to ask internal auditors about – • Their views about the risks of fraud within the company and whether they have knowledge of any actual or suspected fraud. • Whether they performed procedures during the year to identify or detect fraud. • Whether you have satisfactorily responded to any findings resulting from their procedures.
Inquiries of Others • We must inquire of others in the company about the existence or suspicion of fraud. • Based on our judgment. • We may determine the need to talk to one or more employees – • With varying levels of authority in the company. • Outside the accounting department. • Operating personnel. • Who initiate, record, or process complex or unusual transactions. • In areas we identify as being vulnerable to fraud. • In-house legal counsel.
New Management Representations • “We acknowledge our responsibility for the design and implementation of programs and controls to prevent and detect fraud.” • “We have no knowledge of fraud or suspected fraud affecting the company involving management, employees who have significant roles in internal control, or others where the fraud could have a material effect on the financial statements.” • “We have no knowledge of any allegations of fraud or suspected fraud affecting the company received in communications from employees, former employees, regulators, or others.”
Antifraud Programs and Controls • Antifraud programs and controls are policies and procedures put in place to help ensure that management directives are carried out. • Three fundamental activities: • Creating an ethical company culture. • Implementing antifraud processes and controls. • Developing an effective oversight process.
Creating an Ethical Company Culture • Setting the tone at the top. • Establishing a code of conduct. • Creating a positive workplace environment. • Hiring and promoting ethical employees. • Providing ethics training. • Disciplining and prosecuting violators.
Implementing Antifraud Controls • Identify and assess fraud risks. • Implement controls to mitigate fraud risks. • General controls. • Specific internal controls.
Developing an Effective Oversight Process • Management. • Audit committee. • Internal auditors. • External auditors.