AICPA Auditing Update - intergovernmental audit forums

Parlament Europejski

The Latest on AICPAAuditing Standards3

SAS 102 and SSAE No. 13• Issued in December 2005• SAS 102 and SSAE 13 define the terminology theASB will use to describe the degrees of responsibilitythat the requirements impose on theauditor/practitioner• Will result in clarification of standards• Terms are substantially similar to those defined bythe PCAOB in its Rule 31014

SAS 102 and SSAE 13• Provisions apply to existing standards• Unconditional requirements• The auditor is required to comply in all cases• Indicated by the words “must” or “is required to”5

SAS 103 Audit Documentation• Effective for periods ending on or after December 15,2006; supersedes SAS 96• The ASB considered:• The documentation requirements of PCAOBAuditing Standard No. 3• The documentation requirements of IAASB ISA230• Government Auditing Standards• Suggestions received from NASBA7

SAS 103 Audit Documentation• Prepare audit documentation in sufficient detail toprovide an experienced auditor with no previousconnection to the audit a clear understanding of thework performed, the evidence obtained and itssource, and the conclusions reached• Enhanced guidance on matters that should bedocumented• Guidance on documentation that should be retained8

SAS 103 Audit Documentation• Oral explanations on their own do not representsufficient support for work the auditor performed orconclusions reached• May be used to clarify or explain auditdocumentation• Document audit evidence that is contradictory orinconsistent with final conclusions and how theauditor addressed the contradiction or inconsistency9

SAS 103 Audit Documentation• Assemble the final audit engagement file within 60days following the report release date.• After 60 days – no deletion or discard of existingaudit documentation• After 60 days – appropriately documentsubsequent additions• Minimum file retention period of five years from thereport release date.10

SAS 103 Audit Documentation• Dating of the auditor’s report:• Not earlier than the date on which the auditor hasobtained sufficient appropriate evidence tosupport the opinion.• When do you have “sufficient appropriate evidence”?• When you are at a point that you would becomfortable signing the report and releasing tothe client.11

Risk Assessment Standards• Recently issued risk assessment standards:• SAS No. 104, Amendment to Statement onAuditing Standards No. 1• SAS No. 105, Amendment to Statement onAuditing Standards No. 95, Generally AcceptedAuditing Standards• SAS No. 106, Audit Evidence• SAS No. 107, Audit Risk and Materiality inConducting an Audit (Audit Risk and Materiality)12

Risk Assessment Standards• Recently issued risk assessment standards:• SAS, No. 108, Planning and Supervision• SAS No. 109, Understanding the Entity and ItsEnvironment and Assessing the Risks of MaterialMisstatement (Assessing Risks)• SAS No. 110, Performing Audit Procedures inResponse to Assessed Risks and Evaluating theAudit Evidence Obtained (PerformingProcedures)• SAS No. 111, Amendment to Statement onAuditing Standards No. 39, Audit Sampling13

Risk Assessment StandardsOriginated as a joint project between theASB and IAASB about the time we beganwork on SAS 99• Why issued? The ASB believes that theSASs represent a significant strengthening ofauditing standards• Much of SAS 99 theory originated in ourdeliberations over risk assessment standards14

Risk Assessment Standards• Enhances the auditor’s application of the audit riskmodel in practice by requiring:• More in-depth understanding of the entity and itsenvironment, including its internal control, to identify therisks of material misstatement in the financial statementsand what the entity is doing to mitigate them• More rigorous assessment of the risks of materialmisstatement of the financial statements based on thatunderstanding• Improved linkage between the assessed risks and thenature, timing, and extent of audit procedures performed inresponse to those risks15

How the SASs Affect Practice• The quality and depth of the requiredunderstanding of the entity and itsenvironment, including its internal control, issignificantly enhanced• Discussion among engagement team• What could go wrong?• Understand the 5 components of internal control(Control environment, Risk assessment, Controlactivities, Information and communication, andMonitoring)16

How the SASs Affect Practice• Industry, regulatory, and other external factors• Nature of the entity• Objectives and strategies and related businessrisks• Measurement and review of the entity’s financialperformance• Internal control• SAS 109, Assessing Risks, paragraphs 21 - 10117

How the SASs Affect Practice• The auditor should assess the risks of materialmisstatement at the financial statement level and atthe relevant assertion level on all audits based onthe understanding obtained• Assertions about classes of transactions• Assertions about account balances• Assertions about presentations and disclosures18

How the SASs Affect Practice• Identifying risks through considering• The entity and its environment, including itsinternal control• Classes of transactions, account balances,and disclosures• Relating the identified risks to what could gowrong at the relevant assertion level• Considering the significance and likelihood of therisks• SAS 109, Assessing Risks, paragraphs 102-12119

How the SASs Affect Practice• The auditor should have an appropriate basisfor his/her audit approach. Default tomaximum for control riskassessment is disallowed.• SAS 110, Performing Procedures, paragraph820

How the SASs Affect Practice• Testing of controls is encouraged• The requirement to link assessed risks and the auditprocedures responsive to those risks is improved• Risk assessment is a continuous process, not a series ofdiscrete stages• Respond to the risks at the financial statement level andrelevant assertion level by:• Developing overall responses to the assessed risk at thefinancial statement level• Determining the nature, timing, and extent of furtheraudit procedures at the relevant assertion level• SAS 110, Performing Procedures, paragraphs 4-2221

How the SASs Affect Practice• Perform further audit procedures that are clearly linked torisks at the relevant assertion level by:• Performing tests of the operating effectiveness ofcontrols• Performing substantive procedures• Evaluating the adequacy of presentation and disclosure• SAS 110, Performing Procedures SAS, paragraphs 23-68• Evaluate whether sufficient competent audit evidence hasbeen obtained• SAS 110, Performing Procedures, paragraphs 70-7622

How the SASs Affect Practice• Greater emphasis is placed on testing ofdisclosures• Guidance on evaluating audit findings isclarified and expanded• Documentation requirements aresignificantly expanded23

Iron Curtain/Rollover Issue• In evaluation of audit findings, theauditor should consider the effects ofmisstatements related to prior periods.• Guidance in SAS 107, Audit Risk andMateriality, paragraphs 52 and 53 isneutral.24

Risk Assessment Standards• SAS 104 amends SAS 1 to clarify that “reasonableassurance” is a “high level of assurance”• All eight standards are effective for all audits offinancial statements for periods beginning on or afterDecember 15, 2006• The ASB will have a comprehensive roll out plan toassist auditors which will include:• Risk Alert• Authoritative Audit Guide geared towards smaller audits• CPE Courses• Conferences25

SAS No. 112, Internal Control• Recognizes that body to whom communication ismade may take different forms• Board of Directors• Committee of management• Single owner• Those charged with governance = the persons withresponsibility for overseeing the strategic direction ofthe entity and the entity’s financial reporting anddisclosure process.26

SAS No. 112, Internal Control• Conforms definitions of control deficiency, significantdeficiency, and material weakness to those inPCAOB AS#2 . The term significant deficiencyreplaces the term reportable condition• Requires written communication of significantdeficiencies and material weaknesses tomanagement and those charged with governance.• Should be communicated even if they werecommunicated in connection with previous audits27

SAS No. 112, Internal Control• A significant deficiency is a control deficiency, orcombination of control deficiencies … such that thereis more than a remote likelihood that a misstatementof the entity’s financial statements that is more thaninconsequential will not be prevented or detected.• Significant deficiencies may involve one or more of the fiveinternal control components• A material weakness is a significant deficiency, orcombination of significant deficiencies, that results inmore than a remote likelihood that a materialmisstatement of the financial statements will not beprevented or detected.28

Old DefinitionsNew DefinitionsMaterial weaknessMaterial weaknessReportable conditionSignificant deficiencyManagement letter comment (under YellowBook only)Other matters related to internal control29

SAS No. 112, Internal Control• Provides guidance in evaluating:• Deviations in the design or operation of controls andwhether those deviations constitute control deficiencies• The severity of control deficiencies• Based on nature, likelihood, and magnitude• Whether misstatements or potential misstatements are “morethan inconsequential”• Identifies control deficiencies that ordinarily would beconsidered at least significant deficiencies• Identifies circumstances that should be regarded asat least a significant deficiency and a strong indicatorof a material weakness30

SAS No. 112, Internal Control• After concluding on severity of deficiency (controldeficiency, significant deficiency, materialweakness), to consider whether “prudentindividuals” having knowledge of facts andcircumstances would come to same conclusion.• Written communication required no later than 60days following issuance of audit report• Provides illustrative written communications31

SAS No. 112, Internal Control• Includes an appendix containing examples ofcircumstances that may be controldeficiencies, significant deficiencies, ormaterial weaknesses• Voted for issuance by the ASB in April 2006• Effective date = audits of periods ending onor after December 15, 2006• SAS 112 Audit Risk Alert to be issued mid-November32

Implications of SAS No. 112• Yellow Book adopting new terminology• AICPA currently looking at how internal controlreporting may change as a result• The big question is what action OMB will takewith regard to single audits• The other big question is what action thenumerous federal agencies with audit guides(for example, HUD and Education) will take.• PCAOB re-looking at AS233

Proposed AT 501 Revisions• Original exposure draft issued March 2003 to beresponsive to SOX and concerns by users andregulators regarding AT 501• Exposure draft and comment letters sent to PCAOBfor consideration in framing PCAOB AS No. 2• In September 2004, the ASB determined thatproposed SSAE should be revised to reflectguidance in PCAOB AS No. 2 that is appropriate fornonissuers.34

Proposed AT 501 Revisions• Revised AT 501 would be used bypractitioners examining internal control overfinancial reporting for non-issuers• Provides guidance on evaluatingmanagement’s basis or substantiation formaking an assertion about an entity’s internalcontrol over financial reporting.35

Proposed AT 501 Revisions• Comment period for exposure draftended May 19, 2006• Project on hold until PCAOB considersrevisions to AS2• In the meantime, conforming changesmade to AT501 to modify internal controlterminology to be consistent with SAS11236

Proposed Communications SAS• The Auditor’s Communication with Those Chargedwith Governance; would replace SAS 61,Communication with Audit Committees• SAS 61 establishes communication requirements toentities that either have an audit committee or havedesignated oversight of the financial reportingprocess to an equivalent group• The proposed SAS:• Broadens the applicability to audits of all non-issuers• Establishes a requirement for the auditor to determine thatcertain significant matters related to the audit arecommunicated37

Proposed Communications SAS• Those charged with governance = those with theresponsibility for overseeing the strategic direction ofthe entity and obligations related to theaccountability of the entity, including overseeing theentity’s financial reporting process and internalcontrol over financial reporting.• Management = Those that have executiveresponsibility for the conduct of the entity’soperations, including preparation of the entity’sfinancial statements.38

Proposed Communications SAS• Identifies matters to be communicated (many arecarryovers from SAS 61).• Requires the auditor to determine the appropriatepersons with whom to communicate particularmatters.• May be different based on the matters to becommunicated.• Encourages the use of professional judgment indeciding with whom to communicate particularmatters.39

Proposed Communications SAS• Considerations when all of “those charged withgovernance” are involved in managing the entity• Required to communicate:• The auditor’s responsibilities under GAAS• An overview of the planned scope and timing ofthe audit• Significant findings from the audit• Significant findings must be communicated in writingwhile other communications may be oral.40

Proposed Communications SAS• Requirement to evaluate the two-waycommunication between the auditor and thosecharged with governance.• Document significant matters communicated.• Communicate events or conditions that indicate thatthere could be substantial doubt about the entity’sability to continue as a going concern.41

Proposed Communications SAS• Proposed effective date = periodsbeginning on or after December 15,2006.• Comment period ended on May 31,2006.• Final standard expected in fourth quarter200642

Other Current ASB Projects• Quality control, re-looking at Q.C. standards in lightof lessons learned and new international Q.C.standards• Auditor’s reports, can we improve what we say whatis an audit (and what it isn’t)?• Related parties• Management representations• Use of specialists• Revisions to SAS No. 74, compliance auditing• Revisions to SAS 69, GAAP hierarchy43

OMB Activities44

OMB• 2006 Compliance Supplement issued in itsentirety in April 2006• 4 new programs and numerous program updates• Deletion of 2 programs• Appendix VI containing disaster guidance• Homeland Security cluster modified• SFA and R&D Cluster guidance revised andMedicaid cluster expanded45

OMB• 2007 Compliance Supplement processunderway. Changes expected include:• 3 new programs (HUD, ED, DOT cluster)• 50 programs with changes of varying significance• Updates to Appendix VI on disasters• DHS guidance on equipment purchases• SFA Cluster – Schools as lenders guidance added• No changes to subrecipient monitoring section• A few changes to suspension and debarment46

OMB• Late Clearinghouse filings and effect onLow-Risk Auditee Status• IGs beginning to interpret Section 530 ofCircular A-133 to mean that a latesubmission to the Clearinghouse precludeslow-risk auditee status in the following year• Firms should check with cognizant oroversight agency for audit before providinglow-risk auditee status to an entity that has alate submission in the previous year47

OMB• Federal Funding Accountability Act of2006• Requires OMB to establish a database forfederal agencies to disclose to the public dataon the grants, loans and contracts they award• How much money was awarded to grantees andsubgrantees• The organizations receiving the money• The purpose of the award and more48

Status of AICPA GAS/A133 AuditGuide49

Audit Guide, GAS/A133 Audits• You should be using this Guide to assist you inperforming any audit you do underGovernment Auditing Standards or OMBCircular A-133• 2006 conforming changes issued in late July• GAS/A133 audits are known to have manyquality issues—Guide can help you avoid suchissues50

Audit Guide, GAS/A133 Audits• 2006 conforming changes included:• Updates for new SASs that are effective• Other auditors guidance• Reference in Yellow Book report to the report on the financialstatements should mention if that report referred to otherauditors• When other auditors referred to, the Yellow Book report needsto be clear whether other auditors Yellow Book findings areincluded or not• Guidance provided on two options of addressing other auditorsfindings (reference option and inclusion option)• Two new illustrative reports added• Make sure you are familiar with changes made in previous years51

Reference Option Report Wording• We have audited the financial statements of the governmentalactivities, …and have issued our report thereon dated August15, 20X1. Our report was modified to include a reference toother auditors. We conducted our audit in accordance withauditing standards generally accepted in the United States ofAmerica and the standards applicable to financial auditscontained in Government Auditing Standards, issued by theComptroller General of the United States. Other auditorsaudited the financial statements of [identify organization,function, or activity], as described in our report onExample Entity’s financial statements. This report does notinclude the results of the other auditors’ testing of internalcontrol over financial reporting or compliance and othermatters that are reported on separately by those auditors.52

Audit Quality Update53

Audit Quality Continues to be a Concern• Federal statistical sample of auditquality underway• Ongoing QCRs and peer review resultsshow that quality needs improvementboth in financial statement audit workand also single audits• Ethics referrals have shown similarproblems54

The Stat Sample Update• Expected Quality Deficiencies• Documentation does not evidence the workperformed• For example, tickmarks with minimal explanation• No rationale for why something not an exception• No rationale for decisions relating to sampling (insome cases only one sample was used for bothfinancial statement audit and single audit with noexplanation as to how the sample was appropriate forboth purposes)• Stating a compliance requirement is N/A withoutexplanation55

The Stat Sample Update• Expected Quality Deficiencies• Lack of evidence about procedures performedon SEFA• Medicaid erroneously considered a majorprogram at entities only receiving funds as aprovider of services• Not adequately addressing internal control• 5 elements of COSO• Identifying tests of controls versus tests of compliance57

Other Continuing Quality Problems• Type A Program Determination• Two-year lookback• Clusters• Percentage of Coverage Rule• Sampling• Reporting problems• Required findings erroneously put in management letter• Client only listing prior year’s finding on the SummarySchedule of Prior Audit Findings (See A-133 section .315(b))• Yellow Book CPE requirements not met• Data collection form problems58

Governmental Audit Quality Centerand Other AICPA Assistance59

AICPA Governmental Audit Quality Center• Council authorized in October 2003 (alsoestablished EBP Audit Quality Center)• Governmental audit practice is pervasive• > 6,300 AICPA firms involved• Thousands of single audits and othergovernmental audits annually• Public interest high - federal $$$60

AICPA Governmental Audit Quality Center• A firm-based voluntary membership center designedto improve the quality of governmental audits,including audits of not-for-profit organizations• Governmental audits are audits and attestationengagements performed under Government AuditingStandards (“Yellow Book”)• By joining, a firm demonstrates its commitment toquality (must adhere to membership requirements)• Center provides resources to auditors that performYellow Book and/or single audit rules61

AICPA Governmental Audit Quality Center• Center launched at end of September2004 and membership is over 620 firms• 80% of federal expenditures covered insingle audits performed by member firms62

GAQC Web Site: www.aicpa.org/GAQC• Comprehensive resource to Center members whichincludes:• The latest news and spotlight items regarding governmentalaudits• Resources regarding the performance of audits underGovernment Auditing Standards, Circular A-133, and othercompliance audit rules• A listing of firms that belong to the Center sorted by firmname and state• Member forum so that firm members can interact with othermembers• Some portions of the site are available to the generalpublic and provide useful information63

For More Information• Check out the Center Web Site at:www.aicpa.org/GAQC or E-Mail:GAQC@aicpa.org64

Other AICPA Audit Resources• A&A Guides• GAS/A133 (product number 012746)• SLG (product number 012666)• NPO (product number 012646)• HC (product number 012616)• Audit Risk Alerts• GAS/A133 (product number 022456)• SLG (product number 022436)• NPO (product number 022426)• HC (product number 022346)• Practice Aid, Auditing Recipients of Federal Awards: PracticalGuidance for Applying OMB Circular A-133 (product number006621)65

To Obtain Your Copy…• To purchase AICPA products call theAICPA Order Department at 888-777-7077 or go to www.cpa2biz.com andorder online through the AICPAStore.66

Questions ?????67