1 / 71

Risk Assessment and the Governmental Audit

Risk Assessment and the Governmental Audit. Presented to: Connecticut Society of CPA’s Date: May 14, 2008 Presented by: Christian J. Rogers, CPA, Shareholder. Today’s Agenda. Brief discussion of each of the new risk assessment standards (“Risk Assessment Suite”), SAS’s 104 - 111

tino
Download Presentation

Risk Assessment and the Governmental Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk Assessment and the Governmental Audit Presented to: Connecticut Society of CPA’s Date: May 14, 2008 Presented by: Christian J. Rogers, CPA, Shareholder

  2. Today’s Agenda • Brief discussion of each of the new risk assessment standards (“Risk Assessment Suite”), SAS’s 104 - 111 • Purpose and objectives of the new standards • Major changes to current practice • Assessing risks of material misstatement • Procedures to perform in response to assessed risks • Audit documentation • Wrap-up • Questions

  3. Risk Assessment Suite • SAS No. 104, Amendment to SAS No. 1 (Codification of Auditing Standards and Procedures) • Expands the definition of “reasonable assurance” (as cited in the Auditor’s Opinion) as a “high level of assurance”.

  4. Risk Assessment Suite • SAS No. 105, Amendment to SAS 95, Generally Accepted Auditing Standards • Reflects new usage of terms required by SAS No. 102. • Second standard of fieldwork modified as follows: • Expands scope from “internal control” to “the entity and its environment, including its internal control” • Extends purpose from “planning the audit” to “assessing the risk of material misstatement of the financial statements whether due to error or fraud” • “Tests to be performed” is replaced with “further audit procedures”

  5. Risk Assessment Suite • SAS 105 (Continued) • Third standard of fieldwork is modified as follows: • Eliminates reference to specific audit procedures (inspection, observation, inquiries and confirmation); reference is to “audit procedures” • “Competent evidential matter” is replaced with “Appropriate audit evidence” • Appropriate is defined in SAS 106 (para. 6)

  6. Risk Assessment Suite • SAS No. 106, Audit Evidence (Amends SAS 31, Evidential Matter) • Provides guidance regarding concepts underlying the third standard of fieldwork: • “The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.”

  7. Risk Assessment Suite • SAS No. 106, Audit Evidence (Continued) • Defines audit evidence • Defines and discusses relevant assertions and their use in risk assessment and designing appropriate further audit procedures • Discusses qualitative aspects in determining the sufficiency and appropriateness of audit evidence • Describes various audit procedures and discusses purposes for which they may be performed

  8. Risk Assessment Suite • SAS No. 107, Audit Risk and Materiality (Amends SAS 47) • Provides guidance on auditor’s consideration of AR and materiality in a financial statement audit in accordance with GAAS • Auditor must consider audit risk and must determine materiality for the financial statements as a whole to: • Determine extent and nature of risk assessment procedures • Identify and assess the risks of material misstatement • Determine the nature, timing and extent of further audit procedures • Evaluate whether the financial statements (taken as a whole) are presented, in all material respects, in conformity with GAAP • AR should be considered at the: • Overall financial statement level • Relevant assertions related to individual account balances, classes of transactions and disclosure level

  9. Risk Assessment Suite • SAS 107 (Continued) • AR at the financial statement level often relate to control environment • Fraud • Competence of management • Related party transactions • AR at the individual account balance, class of transactions and disclosure level consists of 2 components: • Combined risk • Inherent risk (IR) • Control risk (CR) • Detection risk (DR)

  10. Risk Assessment Suite • SAS No. 107 (Continued) • Determination of materiality is a matter of professional judgment • Based on needs of users of financial statements • Materiality involves quantitative and qualitative characteristics • The auditor must accumulate and respond to both known and likely misstatements

  11. Risk Assessment Suite • SAS 107 (Continued) • Auditor must consider the effect (both individually and in the aggregate) of misstatements (known and likely) not corrected by the client • Auditor should reassess materiality that was determined during planning • Additional procedures may need to be applied to support opinion

  12. Risk Assessment Suite • SAS 108, Planning and Supervision (amends SAS 1 and SAS 22) • The first standard of fieldwork states: • “The auditor must adequately plan the work and must properly supervise any assistants” • This statement establishes standards and provides guidance when conducting a GAAS audit • Planning and supervision is a continuous process

  13. Risk Assessment Suite • SAS 108 (Continued) • Addresses the following: • Appointment of the independent auditor • Establishing written understanding with client • Preliminary engagement activities • Overall audit strategy • Audit plan • Extent of involvement of specialists • Communication with those CWG and management • Additional considerations in initial audits

  14. Risk Assessment Suite • SAS 109, Understanding the Entity and Its Environment and Assessing Risks of Material Misstatement (amends, along with SAS 110, SAS 55) • This statement establishes standards and provides guidance about implementing the 2nd standard of fieldwork • “The auditor must obtain a sufficient understanding of the entity and its environment, including internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing and extent of further audit procedures”

  15. Risk Assessment Suite • SAS 109 (Continued) • In summary, SAS 109 addresses • Risk assessment procedures and sources of information about the entity and its environment, including IC • Understanding the entity and its environment, including IC • Assessing the risks of material misstatement • Documentation

  16. Risk Assessment Suite • SAS 109 (Continued) • Areas of significant risk require special attention • Often relate to non-routine transactions and judgmental matters • We will discuss this standard in greater detail in a little while

  17. Risk Assessment Suite • SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (amends, along with SAS 109, SAS 55) • Provides standards and guidance regarding concepts underlying the third standard of fieldwork, which states: • “The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.”

  18. Risk Assessment Suite • SAS 110 (Continued) • Determination of overall responses • Designing and performing further audit procedures • Evaluating whether the risk assessments remain appropriate and to conclude whether sufficient appropriate audit evidence has been obtained • Documentation • We will discuss this standard in greater detail in a little while

  19. Risk Assessment Suite • SAS 111, Amendment to SAS 39, Audit Sampling • Provides enhanced guidance on tolerable misstatement. Generally, misstatement in an account should be less than materiality to allow for aggregation in final assessment.

  20. Purpose and Objectives • The Purpose of the New Standards • To enhance the auditor’s performance and, as a result, increase the effectiveness of audits

  21. Purpose and Objectives • The Objectives of the New Standards • Requiring a more in-depth understanding of the entity and its environment, including its internal control (IC), to identify the risks of material misstatement and what the entity is doing to mitigate them • Requiring a more rigorous assessment of the risks of material misstatement based on our understanding of the entity and its IC • Improving linkage between the assessed risks and the nature, timing and extent of audit procedures performed in response to those risks

  22. Major Changes to Current Practice • Major Changes • One size does not fit all • Procedures/audit programs must be tailored • Risk assessment at the assertion level • Default to maximum control risk is no longer permitted • Potential for higher level (more experienced) staff required during planning and risk assessment stages (dependent upon your current process)

  23. Assessing Risks of Material Misstatement ( RMM) • Where do we begin? • Step 1 - Risk assessment procedures and sources of information about the entity and its environment, including IC • Step 2 – Understanding the entity and its environment, including its IC • Let’s get into the details

  24. Assessing RMM • Risk Assessment Procedures • Inquiries of management and others • Analytical procedures • Observation and inspection • Discussion among audit team • Other considerations • Let’s discuss each of these in further detail

  25. Assessing RMM • Inquiries of management and others • Those charged with governance • Internal auditors • Employees who initiate, authorize, process or record complex or unusual transactions • In-house legal counsel • Sales or production personnel • External parties • Investment managers and financial advisors • Attorneys • Rating agencies • Regulatory bodies

  26. Assessing RMM • Analytical Procedures • SAS No. 56 provides guidance • Assist in identifying the existence of unusual: • Transactions or events • Amounts • Ratios • Trends

  27. Assessing RMM • Analytical Procedures (Continued) • Expectations should be developed, for example: • Expected change as a result of budget • Expected change as a result of new revenue stream • Results is usually only a broad indication about whether or not a MM exists • Consider results with other information gathered

  28. Assessing RMM • Observation and Inspection • May support inquiries of management and other and provide additional information • Observation of activities and operation • Inspection of records and internal control manuals • Reading reports prepared by management: • Interim financial statements • Budget documents

  29. Assessing RMM • Observation and Inspection (Continued) • Reading reports (i.e., minutes to meetings) prepared by those charged with governance • Internal audit reports • Facility site visits • Tracing transactions through the information system relevant to financial reporting

  30. Assessing RMM • Audit Team Discussion • Can be held concurrently with SAS 99 discussion • Objective is for audit team to obtain a better understanding of the potential for material misstatements and relationship between the result of the procedures performed and other aspects of the audit (this is key)

  31. Assessing RMM • Audit Team Discussion (Continued) • Discussion should include: • Areas of significant audit risk • Areas susceptible to management override • Unusual accounting procedures • Important IC systems • Materiality at financial statement and account level • Application of GAAP related to the entity

  32. Assessing RMM • Other items for consideration • Results of SAS 99 procedures • Results of prior year audits • Should determine if changes have occurred that could affect the relevance of that information • Communications with the client in between audit cycles

  33. Assessing RMM • Understanding the Entity and its Environment, Including its IC • Includes the following aspects • Industry, regulatory and other external factors • Nature of the entity • Objectives and strategies and the related business risks that may result in a material misstatement • Measurement and review of the entity’s financial performance • Internal control, which includes the selection and application of accounting policies

  34. Assessing RMM • For items 1 through 4 above, the auditor should consider the following: • Industry, regulatory and other external factors • Industry conditions • Market and competition • Cyclical or seasonal activity • Budgetary constraints at the state and/or federal level

  35. Assessing RMM • Regulatory environment • Industry-specific practices • Legislation and regulation that significantly affect the entity’s operations • Direct supervisory activities • Regulatory requirements • Taxes • Environmental • External factors • Recession, growth, etc. • Interest rates • Inflation

  36. Assessing RMM • Nature of the entity • Business operations • Nature of revenue sources • Products or services and the related market • Related party transactions • Location of facilities • Investments • In joint ventures, special-purpose entities, etc. • In plant and equipment • Financing • Use of derivatives • Leasing • Debt • Financial reporting • Accounting principles and industry-specific practices • Revenue recognition practices • Foreign currency transactions • Unusual and complex transactions

  37. Assessing RMM • Objectives and Strategies and Related Business Risks • New products or services • Industry developments • New accounting and regulatory requirements • Measurement and Review of Financial Performance • Key performance indicators • Trends • Analyst reports and credit ratings • Appendix A of SAS 109 includes more examples of matters that the auditor may consider

  38. Assessing RMM • Internal Control • A process, effected by those charged with governance, management and other personnel, designed to provide reasonable assurance about the achievement of the entity’s objectives regarding the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

  39. Assessing RMM • Internal Control (Continued) • Auditor should obtain an understanding of the five components of IC sufficient to assess RMM (due to error or fraud), and to design the nature, timing and extent of further audit procedures

  40. Assessing RMM • Internal Control (Continued) • The COSO framework:

  41. Assessing RMM • Internal Control (Continued) • Control Environment • The foundation for all other IC components • Sets organizational tone • Risk Assessment • Entity’s identification and analysis of relevant risks in achieving objectives • Forms a basis for how those risks should be managed • Information and Communications • Supports the identification, capture and exchange of information in a form and timeframe that enable people to carry out their responsibilities

  42. Assessing RMM • Internal Control (Continued) • Control activities • The policies and procedures that ensure that management’s directives are carried out • Monitoring • Assesses the quality of IC performance over time

  43. Assessing RMM • Internal Control (Continued) • Depth of understanding IC • Evaluate design of controls relevant to the audit • Is the control capable, individually or collectively, of effectively preventing or detecting and correcting material misstatements • Determine whether the applicable controls have been implemented (the control exists and the entity is using it) • The design of the control should be considered in determining whether to consider its implementation • If the design is deficient, it’s implementation is ineffective

  44. Assessing RMM • Internal Control (Continued) • Perform risk assessment procedures to obtain understanding of IC • Inquiry of personnel • Observation of the application of specific controls • Inspecting documents and reports • Tracing transactions through the financial reporting system • Inquiry alone is not sufficient

  45. Assessing RMM • Assessing RMM • Now that we have obtained our understanding and performed our risk assessment procedures it is time to assess the RMM • The assessment must be made at the financial statement level and relevant assertion level related to: • Classes of transactions • Account balances • Disclosures

  46. Assessing RMM • Assessing RMM (Continued) • Risks should be identified throughout the process of obtaining understanding of the entity and its environment, including relevant controls that relate to risks, and consider the classes of transactions, account balances and disclosures • Relate identified risks to what can go wrong at the relevant assertion level • Consider whether risks are of magnitude that could result in material misstatement • Consider the likelihood that the risks could result in material misstatement

  47. Assessing RMM • Assessing RMM (Continued) • Determine whether risks relate to specific relevant assertions or to the financial statements as a whole (weak control environment) • Risk assessment is used to determine the nature, timing and extent of further audit procedures to be performed • If the expectation is that controls are operating effectively at the relevant assertion level, tests of controls must be performed

  48. Assessing RMM • Assessing RMM (Continued) • Significant Risks • Require special audit consideration • Based on auditor’s judgment • Considerations include: • Inherent risk • Risk of fraud • Related to recent significant economic, accounting or other developments • Complexity • Related parties • Significant nonroutine transactions • Significant estimates

  49. Assessing RMM • Assessing RMM (Continued) • Auditor’s response: • If the auditor has not already done so, evaluate design of the entity’s controls related to the risks • This will be discussed further in the next section, Performing Procedures in Response to Assessed Risks

  50. Procedures to be Performed • How do we respond to our RMM? • There are two types of responses • Overall responses at the financial statement level • Maintain professional skepticism • Assigning more experienced staff • Using specialists • Performing procedures at year-end rather than during the interim

More Related