RISK ASSESSMENT STANDARDS WHAT YOU NEED TO KNOW
NEELY DUNCAN, CPA, CFE, FCPAAUDIT MANAGER
1
June 19, 2008
Introduction2
Welcome
Agenda
Risk assessment standards
Impact on your audit
Benefits to your organization
Requirements
Internal control deficiencies
What can you do to help (and keep audit costs
down)
Lane Gorman Trubitt, L.L.P. 6/19/08
Risk Assessment Standards3
Auditing profession continually reviews practices and makes
necessary improvements.
Goal is to maintain and enhance the quality of independent
audits and achieve international convergence
Post Enron and Sarbanes-Oxley - Higher expectations of auditors
Require sweeping changes in our audit process.
Will result in increased effort by both your company and your
auditors.
Effective for audits of financial statements for periods beginning on
or after December 15, 2006.
Lane Gorman Trubitt, L.L.P. 6/19/08
What is Risk Assessment?4
More focused audit approach.
Considers at a detailed level what can go wrong in your
accounting records and in the preparation of your financial
statements.
Identifies areas where material errors or fraud are
more likely to occur.
Concentrates audit effort in those areas.
Depends on the depth of our understanding of your company,
industry, and internal controls.
Lane Gorman Trubitt, L.L.P. 6/19/08
Risk Assessment Standards5
SAS 104 Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards & Procedures
SAS 105 Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards
SAS 106 Audit Evidence
SAS 107 Audit Risk & Materiality in Conducting an Audit
SAS 108 Planning & Supervision
SAS 109 Understanding the Entity and Its Environment & Assessing the Risks of Material Misstatement
SAS 110 Performing Audit Procedures in Response to Assessed Risks & Evaluating the Audit Evidence Obtained
SAS 111 Amendment to Statement on Auditing Standards No. 39, Audit Sampling
SAS 114 The Auditor’s Communication With Those Charged With Governance
Lane Gorman Trubitt, L.L.P. 6/19/08
Risk Assessment Standards6
The objectives of the SASs are to improve audit effectiveness
by requiring:
A more in-depth understanding of the entity and its
environment, including its internal control.
More rigorous assessment of the risks of material misstatement
(whether caused by error or fraud) of the financial statements.
A linkage between the assessed risks and the nature, timing,
and extent of audit procedures performed in response to those
risks.
Lane Gorman Trubitt, L.L.P. 6/19/08
Impact to 2007 audits7
Planning and supervision Signed engagement letter before planning starts. Approved communication from Audit Committee. Requires more time from managers. Knowledge of business and internal control assessment will add
substantially more time.
Inquiry regarding internal control not enough – need to verify by doing walkthroughs of all major cycles.
Required to assess key IT controls, security & changes – may need IT specialist.
Obtain Type II SAS 70 reports for significant outsourced services – for instance, payroll, claims processing, etc.
Three planning meetings will be necessary for your auditors. Determine what info to gather and how – walkthroughs, etc. Perform risk assessment including fraud brainstorming Responses to risks – develop audit plan and tailor programs
Lane Gorman Trubitt, L.L.P. 6/19/08
Impact to 2007 audits (cont)8
Risk assessment
Risk based audit approach required – not a philosophical change for us.
No longer can assess control risk at maximum and do no work on
controls.
Risk assessment much more detailed than we used in the past.
Risk by assertions to transaction cycle, accounts and disclosures
Documentation increased
Linkage to audit assertions, procedures, workpapers and conclusions
Will require more time from audit team management.
Lane Gorman Trubitt, L.L.P. 6/19/08
Impact to 2007 audits (cont)9
Other matters Many more management letter comments. Some
clients will view this as adding value while others will view this as a problem.
2006 saw that all clients had at least one material weakness – they don’t prepare their F/S, we do. This will be reported every year, unless the client can take responsibility for them.
Bottom line estimated impact to fees: Industry says 15-40% Our estimate 10-15%
Lane Gorman Trubitt, L.L.P. 6/19/08
What are the Benefits to You?10
A more thorough, effective, and focused audit. We will be better able to—
Provide useful information Identify problems or opportunities and make
recommendations Assist with special projects
Recommended improvements can help you avoid unexpected losses or expenses.
Better overall internal control.
Lane Gorman Trubitt, L.L.P. 6/19/08
What are the Requirements?11
Obtain a more in-depth understanding of your company and its operating environment, including internal controls.
Identify the specific risks of material errors or fraud occurring and remaining undetected by you, along with the actions you are taking to mitigate those risks.
Perform a rigorous assessment of the risks of material misstatement of your financial statements based on that understanding.
Link that risk assessment with the resulting audit procedures.
Meet new documentation requirements.
Obtain UnderstandingObtain Understanding
Identify RisksIdentify Risks
Perform Risk Assessment
Perform Risk Assessment
Link Risk Assessment to Audit Procedures
Link Risk Assessment to Audit Procedures
Meet New Documentation Requirements
Meet New Documentation Requirements
Lane Gorman Trubitt, L.L.P. 6/19/08
In-depth Understanding Of Company
12
Auditors are required to gather information to gain an in-depth understanding of the company and its environment.
Obtain UnderstandingObtain Understanding
Includes the following aspects: External factors Nature of the client Objectives and strategies and related business risks Measurement and review of the company’s financial
performance Internal control
Lane Gorman Trubitt, L.L.P. 6/19/08
Identify Risks of Material Misstatements
13
Consider: Significance of transactions, account balances,
and disclosures to the financial statements Effectively designed controls that are in place
Identify RisksIdentify Risks
Based on the auditor’s understanding of the design and implementation of the company’s controls, identify those areas where material errors or fraud could occur.
Lane Gorman Trubitt, L.L.P. 6/19/08
Perform Risk Assessment14
Required to assess the risk of material misstatement at:
Financial statement level – pervasive to financial statements as a whole and potentially affect many relevant assertions
Relevant assertion level – relate to specific classes of transactions, account balances, and disclosures at the assertion level
Perform Risk Assessment
Perform Risk Assessment
Lane Gorman Trubitt, L.L.P. 6/19/08
Perform Risk Assessment (continued)
15
Financial statement level risks should be
related back to specific assertions.
Examples of financial statement level
risks –
Overall weak control environment
Lack of qualified personnel in financial
reporting roles
Management's process for making
significant accounting estimates
Perform Risk Assessment
Perform Risk Assessment
Lane Gorman Trubitt, L.L.P. 6/19/08
Perform Risk Assessment (continued)
16
Examples of relevant assertion level
risks –
Existence of accounts receivable
Occurrence of sales
Valuation of inventory
Presentation and disclosure of debt
covenant compliance
Perform Risk Assessment
Perform Risk Assessment
Lane Gorman Trubitt, L.L.P. 6/19/08
Assertions17
What are assertions?
Management’s implicit or explicit representations
regarding the recognition, measurement, presentation
and disclosure of information in the financial
statements
Our audit approach is generally directed at specific
assertions in order to properly link the assessed
risks to our audit procedures.
Lane Gorman Trubitt, L.L.P. 6/19/08
Link Risk Assessment to Audit Procedures
18
Assessment of risk of material misstatement (at both the financial statement and assertion level) should be directly linked to the design and performance of audit procedures.
Audit programs and checklists must be tailored to reflect this linkage.
Examples – Significant accruals that are subject to
complex estimation Inventory quantities that are difficult to
count could be misstated
Link Risk Assessment to Audit Procedures
Link Risk Assessment to Audit Procedures
Lane Gorman Trubitt, L.L.P. 6/19/08
New Documentation Requirements
19
Auditors must have and document an appropriate basis for the audit approach.
This requirement eliminates the ability to assess control risk “at the maximum” without having a basis for the assessment (aka “default to max”).
“Default to max” – means placing no reliance on a company’s internal control and performing primarily detailed, substantive testing.
Typically, “defaulting to max” was considered to be more efficient for companies with a limited control environment. Meet New
Documentation Requirements
Meet New Documentation Requirements
Lane Gorman Trubitt, L.L.P. 6/19/08
New Documentation Requirements (cont.)
20
Audit documentation must be prepared in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand: The nature, timing and extent of auditing
procedures
The results of the audit procedures performed and the audit evidence obtained
The conclusions reached on significant matters; and
That the accounting records agree or reconcile with the audited financial statements or other audited information
Meet New Documentation Requirements
Meet New Documentation Requirements
Lane Gorman Trubitt, L.L.P. 6/19/08
Internal Control Deficiencies21
Internal Control Deficiencies fall into three categories under SAS 112:
Control Deficiency - A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Can be communicated by the auditors verbally.
Significant Deficiency - A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected. Must be communicated by the auditors in writing.
Material Weakness - A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. Must be communicated by the auditors in writing.
Lane Gorman Trubitt, L.L.P. 6/19/08
Objectives – Internal Control22
What is internal control?
Who is involved in internal control?
How to improve internal control
Lane Gorman Trubitt, L.L.P. 6/19/08
What is Internal Control?23
Establish effective control environment
Identify “what can go wrong?” (risk assessment)
Implement controls to manage risk (control activities)
Implement reliable information system & communicate
Monitor control performance
Lane Gorman Trubitt, L.L.P. 6/19/08
What is Internal Control? (continued)
24
Entity level controls – Controls that affect the entire organization.
“Tone at the Top” What can go wrong; anti-fraud programs Assignment of authority Distribution of financial information; IT general controls Accountability by departments/functions
Activity level controls – Controls that capture, process, communicate information.
Transaction cycle controls Segregation of duties
Lane Gorman Trubitt, L.L.P. 6/19/08
Entity-Level Controls
Control Environment
Attitudes, awareness, actions of Owners/Management (those charged with “governance”)
Risk Assessment How Owners/Management consider risks and take actions to address them
Control Activities Anti-fraud controls IT general controls
Information & Communication
Capture events that affect reporting
Communicate reporting roles/responsibilities
Monitoring High-level activities that monitor controls/ overall accountability
25Lane Gorman Trubitt, L.L.P. 6/19/08
Entity-Level Controls (continued)26
What about Smaller Entities?
Smaller entities may use less formal means and processes to achieve their control objectives.
Therefore certain components of internal control may not be clearly distinguished, but the underlying purpose is equally valid.
Lane Gorman Trubitt, L.L.P. 6/19/08
Who is Involved with Internal Control?
27
Management has primary responsibility.
Not just for the accounting department.
Consider all aspects of the company that impact
internal controls
Examples:
Hiring, Training, Promoting
Operations
Sales
Lane Gorman Trubitt, L.L.P. 6/19/08
Activity Level Controls
Information Procedures to initiate, record, process and report transactions
Control Activities Policies and procedures related to assertions
IT application controls Segregation of duties,
safeguard assets, reconciliations
28
Classes of Transactions Account Balances Disclosures
Lane Gorman Trubitt, L.L.P. 6/19/08
How to Improve Internal Control29
Ask “what can go wrong?”
Design controls to mitigate the risk.
Monitor control performance.
Set an appropriate tone at the top.
Exercise oversight of the financial reporting process.
Consider control recommendations identified by
auditors.
Lane Gorman Trubitt, L.L.P. 6/19/08
What Can You Do to Help?30
Document your key controls and perform your own risk
assessment.
Respond promptly to inquiries and document requests.
Expect and prepare your staff for walkthroughs.
Communicate your questions or concerns.
Look at this as an opportunity to improve controls not another
“hoop to jump through”.
Lane Gorman Trubitt, L.L.P. 6/19/08