370 likes | 576 Views
NO FRAUD LEFT BEHIND. The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette. Risk Assessment Standards. Statements on Auditing Standards SAS 104 – 111 (risk assessment) Other recently issued standards SAS 112 – 115
E N D
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette
Risk Assessment Standards • Statements on Auditing Standards • SAS 104 – 111 (risk assessment) • Other recently issued standards • SAS 112 – 115 • How will these new audit standards affect school audits?
SAS 104 • Due professional care in the performance of work • Clarified the definition of reasonable assurance • Emphasized that reasonable assurance is a high level of assurance, but not absolute assurance
SAS 105 • Amendment to SAS 95, Generally Accepted Auditing Standards • Expands the scope of the understanding that the auditor is required to obtain from “internal control” to “the entity and its environment, including its internal control”
SAS 105 • Emphasizes that the understanding is obtained to “assess the risk of material misstatement of the financial statements” • The understanding of the entity and its internal control is part of the audit evidence that supports the opinion • Used to be only part of the audit planning
SAS 106 • Audit evidence • Identifies “risk assessment procedures” as procedures performed to obtain an understanding of the entity in order to assess the risk of material misstatement
SAS 106 • Evidence obtained from performing risk assessment procedures, including gaining an understanding of the entity and its environment, including its internal controls as well as tests of controls and substantive procedures is part of the evidence obtained to support the audit opinion (not just to plan the audit)
SAS 106 • Risk assessment procedures include: • Inquiries of management and others • Analytical procedures • Observation and inspection • Inquiry alone is no longer sufficient to evaluate controls and whether they have been implemented
SAS 107 • Audit risk and materiality in conducting an audit • Auditors can no longer default to maximum risk (instead of testing controls) • Materiality should take qualitative considerations into account as well as quantitative
SAS 108 • Planning and supervision • New guidance on development of overall audit strategy and audit plan • Establish an understanding with the client • What is management’s responsibility compared to the auditor’s responsibility
SAS 109 • Understanding the entity and its environment and assessing the risks of material misstatements • Understanding the entity: • Industry, regulatory, and other external factors • Nature of the entity • Objectives and strategies and the related risks • Measurement and review of financial performance • Internal control, which includes accounting policies
SAS 109 • Understanding of internal control • Evaluating design of a control • Determining whether it has been implemented • Evaluating the design of control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing or detecting and correcting material misstatements
SAS 109 • Components of internal control: • Control environment – tone of organization • Risk assessment – identification and analysis of relevant risks • Information and communication systems – identification, capture and communication of information • Control activities – policies and procedures • Monitoring – assessment of the quality of internal control performance
Control Environment • Primary responsibility for the prevention and detection of fraud and errors rests with those charged with governance and management • The absence or inadequacy of such programs and controls may constitute a significant deficiency or material weakness
Control Environment • Communication and enforcement of integrity and ethical values • Commitment to competence • Participation of those charged with governance • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resource policies and practices
Risk Assessment • Risk assessment process for financial reporting purposes is its identification, analysis, and management of risks relevant to the preparation of financial statements that are presented fairly in conformity with GAAP
Risk Assessment • Risks relevant to financial reporting: • Changes in operating environment • New personnel • New or revamped information systems • Rapid growth • New accounting pronouncements
Information and Communication Systems • Information systems consist of procedures, whether automated or manual, and records established to initiate, authorize, record, process, and report entity transactions and to maintain accountability for the related assets, liabilities and equity
Information and Communication Systems • Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting
Control Activities • Authorization • Segregation of duties • Safeguarding • Asset accountability
Monitoring • Management is responsible for establishing and maintaining internal controls on an ongoing basis • Monitoring controls includes determining whether internal controls are operating as intended and modifying as appropriate for changes in conditions • Monitoring is done to ensure that controls continue to operate effectively
SAS 110 • Performing audit procedures in response to assessed risks and evaluating the audit evidence obtained • Requires tests of controls to obtain audit evidence about their operating effectiveness when assessment of risks is based on the expectation that controls are operating effectively
SAS 112 • Communicating internal control related matters identified in an audit • Defines the terms significant deficiency and material weakness (revised by SAS 115) • Provides guidance on the severity of control deficiencies • Requires communication in writing to management and those changed with governance
Control Deficiency • Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis
Control Deficiency • Deficiency in design exists when: • a control necessary to meet the control objective is missing or • an existing control is not properly designed so that even if the control operates as designed, the control objective is not always met
Control Deficiency • Deficiency in operation exists when: • a properly designed control does not operate as designed or • when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively
SIGNIFICANT DEFICIENCY (SAS 112) • A control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected
SIGNIFICANT DEFICIENCY (SAS 115) • A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance
Material Weakness (SAS 112) • A significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected
Material Weakness (SAS 115) • A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis
Material Weakness (SAS 115) • Identification of fraud, whether or not material, on the part of senior management • Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud
Material Weakness (SAS 115) • Identification by the auditor of a material misstatement of the financial statements under the audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control • Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance
SAS 114 • Auditor’s communication with those charged with governance • Supersedes SAS 61 • Requires communication before and after the audit
SAS 114 • Planned scope and timing of audit • Assist those charged with governance in understanding the consequences of the auditor’s work • Discussing issues of risk and materiality • Identifying any areas that those charged with governance request the auditor to undertake additional procedures • Assist auditor to understand the entity and its environment
SAS 114 • Auditor’s responsibilities under GAAS • Significant findings from audit • Qualitative aspects of the entity’s significant accounting practices, including policies, estimates, and disclosures • Significant difficulties or disagreements • Uncorrected misstatements, unless trivial • Other findings or issues