1

SAS 104-111 Teleconference

Jan. 15, 2009

Craig Funkhouser, Crowe Horwath LLP

Ken Goldmann, J.H. Cohncraig.funkhouser@crowehorwath.com

kgoldmann@jhcohn.com

2

Today’s Program

Historical Background, Review Of Key Terms Of SAS 104-111: Craig Funkhouser, Slides 3 Through 31

Lessons For Companies: Ken Goldmann, Slides 32 Through 51

Early Experiences From Implementation Of SAS 104-111: Craig Funkhouser, Slides 52 Through 72

A Look Forward: Craig Funkhouser And Ken Goldmann, Slides 73 Through 83

3

Historical Background, Review Of Key Terms Of SAS 104-111

4

How Did We Get Here?●

Bad publicity beginning with Enron: 2001●

Congress passes the Sarbanes-Oxley Act of 2002●

AICPA issues SAS No. 99, Consideration of Fraud in a Financial Statement Audit, effective in 2003

●

PCAOB issues Audit Standard No. 2, Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, in 2004

●

AICPA issues SAS No. 103, December 2005●

AICPA issues SAS Nos. 104 through 111, March 2006●

AICPA issues SAS No. 112, May 2006●

AICPA issues SAS No. 114, December 2006●

PCAOB issues Audit Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, 2007

5

●

Eight new auditing standards Enhance auditor performance Improve audit effectivenessEncourage auditors to focus on areas where the risk of misstatement is the greatest

●

Effective for audits of financial statements for periods beginning

on or after Dec. 15, 2006

●

SAS 103 and SAS 112 were effective for periods ending

on or after Dec. 15, 2006 and are NOT considered part of the risk assessment

standards

●

SAS 114 –

The auditor’s communication with those charged with governance is effective for periods beginning

on or after Dec. 15, 2006 and is NOT considered part of the risk assessment standards

AICPA Risk Assessment Standards

6

SAS Nos. 103, 112 And 114●

SAS No. 103, Audit DocumentationEffective for periods ending after Dec. 15, 2006Changes documentation standards, supersedes SAS No. 96Changes how auditors date their audit reports

●

SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit

Effective for periods ending after Dec. 15, 2006Changes the classification of control deficienciesChanges how auditors assess severity of deficienciesChanges communication requirements

●

SAS No. 114, The Auditor’s Communication with Those Charged with

Governance

Effective for periods beginning after Dec. 15, 2006Changes “required communications,” supersedes SAS No. 61Not only for companies who maintain an audit committee

7

Overview Of Risk Assessment Standards

●

Statement on Auditing Standards (SAS) No. 104 –

Amendment to SAS No. 1, Codification of Auditing Standards and Procedures

●

SAS No. 105 –

Amendment to SAS No. 95, Generally Accepted Auditing Standards

●

SAS No. 106 –

Audit Evidence●

SAS No. 107 –

Audit Risk and Materiality in Conducting an Audit●

SAS No. 108 –

Planning and Supervision●

SAS No. 109 –

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

●

SAS No. 110 –

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

●

SAS No. 111 –

Amendment to SAS No. 39, Audit Sampling

8

Overview Of Risk Assessment Standards (Cont.)

These statements establish standards and provide guidance concerning:

•

The auditor’s assessment of the risks of material management (whether

caused by error or fraud) in a financial statement audit

•

The design and performance of audit procedures whose nature, timing and extent are responsive to the assessed risks

9

Overview Of Risk Assessment Standards (Cont.)The statements also establish standards and provide guidance on:

• Planning and supervision

• The nature of audit evidence, and•

Evaluating whether the audit evidence obtained affords a

reasonable basis for an opinion regarding the financial

statements under audit

10

The primary objective is to enhance auditors’ application of the

audit risk model in practice by specifying, among other things:

•

More in-depth understanding of the entity and its environment,

including its internal controls, to identify the risks of material

misstatement in the financial statements and what the entity

is doing to mitigate them

•

More rigorous assessment of the risks of material misstatement

of the financial statements, based on that understanding

•

Improved linkage between the assessed risks and the nature,

timing and extent of audit procedures performed in response to

those risks

Overview Of Risk Assessment Standards (Cont.)

11

Risk Assessment Provisions

●

The major risk assessment provisions are designed to:Expand the quality and depth of the auditor’s required understanding of the entity and its environment, including its internal controlsRequire the auditor to assess the risks of material misstatements at the financial statement level and at the assertion level on all audits based on the understanding obtainedEliminate the “default to maximum” for control risk, which should encourage testing of controls

12

Risk Assessment Provisions (Cont.)

●

The major risk assessment provisions are designed to:Emphasize the importance of the entity’s risk assessment processStrengthen the linkage between assessed risks and the auditor’s response to those risksClarify the auditor’s ability to rely on audit evidence gathered in prior auditsStrengthen guidance for testing disclosuresClarify and expand guidance on evaluating audit findings, andExpand documentation requirements

13

SAS No. 104

●

Expands the definition of “reasonable assurance” to a high, but not absolute, level of assurance

●

Requires the auditor to plan and perform the audit to limit audit risk to a low level

14

SAS No. 105

●

Expands the scope of the understanding that the auditor must obtain in the second standard of field work from “internal control” to “the entity and its environment, including its internal control”

●

The quality and depth of the understanding to be obtained is emphasized by amending its purpose from “planning the audit” to “assessing the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures”

●

Use of generic or standard audit programs is not appropriate, since risk varies among entities being audited

15

SAS No. 106

●

Introduces the concept of “risk assessment procedures”

●

Identifies risk assessment proceduresInquiries of management and others in the entityAnalytical proceduresObservation, inspection and other audit evidence

●

Clearly states that inquiry alone is not sufficient in evaluating the design of an internal control and to determine whether it has been implemented

●

Recategorizes

assertions by classes of transactions and events, account balances, and presentation and disclosure; and describes

how the auditor uses relevant assertions to assess risk and design audit procedures

16

Financial Statement Assertions

SAS 106 identifies 13 assertions rather than five. The assertions are asfollows:

Assertions per SAS 106, paragraph. 15 Transactions Occurrence

Completeness Accuracy Cutoff Classification

Acct Balances Existence Rights & Obligations Completeness Valuation & Allocation

Presentation Occurrence & Rights & Obligations Completeness Classification & Understandability Accuracy & Valuation

No. Of Assertions 13

17

SAS No. 107

●

SAS No. 107 states that the auditor must consider audit risk and

must determine a materiality

level for the financial statements taken as a whole

●

The determination of materiality takes into account how users with the following characteristics could reasonably be expected to be

influenced in making economic decisions. Users are assumed to:

Have an appropriate business knowledge and a willingness to study the financial statementsUnderstand that financial statements are prepared and audited tolevels of materialityRecognize the uncertainties inherent (estimates, judgments, consideration of future events)Make appropriate economic decisions on the basis of information in the financial statements

18

SAS No. 107 (Cont.)

●

Audit risk consists of:The risk of material misstatement (consisting of inherent risk and control risk) – that the relevant assertions related to balances, classes or disclosures contain misstatements (whether caused by error or fraud) that could be material to the financial statements, when aggregated with misstatements in other relevant assertions related to balances, classes, or disclosures

The risk (detection risk) that the auditor will not detect such misstatements

19

SAS No. 107 (Cont.)

●

Tolerable misstatement is the maximum error in a population that

the auditor is willing to accept

When assessing the risks of material misstatements and designing and performing further audit procedures to respond to the assessed risks, the auditor should allow for the possibilitythat some misstatements of lesser amounts than the materiality levels could, in the aggregate, result in a material misstatement of the financial statements. To do so, the auditor should determine one or more levels of tolerable misstatement. Such levels of tolerable misstatement are normally lower than the materiality levels

20

SAS No. 107 (Cont.)

●

“The auditor must accumulate all known and likely misstatements identified during the audit, other than those that the auditor believes are trivial, and communicate them to the appropriate level of management” (SAS No. 107)

The auditor should request management to record adjustments needed to correct all known misstatements

When the misstatements are considered likely, the auditor should request that management examine the situation in order to identify and correct misstatements therein

21

●

SAS No. 108 provides guidance on:Appointment of the independent auditorEstablishing an understanding with the client (should be written)Preliminary engagement activitiesThe overall audit strategy (formerly “audit approach”)The audit plan (formerly “audit program”)Determining the extent of involvement of professionals possessing specialized skillsUsing a professional possessing information technology (IT) skills to understand the effect of IT on the auditAdditional considerations in initial audit engagement;Supervision of assistants

SAS No. 108

22

SAS No. 109

●

SAS No. 109 establishes requirements and provides guidance about implementing the second standard of fieldwork, as follows:

The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit proceduresThe auditor should assess the risk of material misstatement at both the financial statement and relevant assertion levelsUnder the previous standard, the primary purpose of gaining an understanding of internal control was to plan the audit

23

●

SAS No. 109 states that the audit team should discuss the susceptibility of the entity’s financial statements to material misstatement

Previous standards did not require a “brainstorming” session to discuss the risk of material misstatementsThis discussion can be held concurrently with the SAS No. 99 fraud brainstorming session, and SAS 109 requires that this discussion among the audit team members be appropriately documented

SAS No. 109 (Cont.)

24

SAS No. 110●

SAS No. 110 provides guidance on determining overall responses, and designing and performing further audit procedures, to respond to

assessed risks of material misstatements at the financial statement and relevant assertion levels. The auditor’s overall responses to address the

assessed risks of material misstatement at the financial statement level may include:

Emphasizing professional skepticism in gathering and evaluating audit evidenceAssigning more experienced personnel or those with specialized skillsProviding more supervisionIncorporating additional elements of unpredictability in the selection of further audit procedures to be performed, andMaking general changes to the nature, timing or extent of further audit procedures

25

SAS No. 110 (Cont.)

●

In designing further audit procedures, the auditor should consider such matters as:

The significance of the riskThe likelihood that a material misstatement will occurThe characteristics of the class of transactions, account balance or disclosure involvedThe nature of the specific controls used by the entity – in particular, whether they are manual or automatedWhether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing or detecting material misstatements

26

SAS No. 110 (Cont.)

●

The auditor should perform tests of controls when:The auditor’s risk assessment includes an expectation of the operating effectiveness of controls; orSubstantive procedures alone do not provide sufficient appropriate audit evidence at the relevant assertion level

●

When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor should determine what additional audit evidence should be obtained for the remaining period

●

If the auditor plans to rely on the operating effectiveness of controls intended to mitigate a significant risk, the auditor should obtain audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period

27

SAS No. 110 (Cont.)

●

SAS No. 110 states that the auditor should perform certain substantive procedures for all engagements. These procedures include:

Performing substantive tests for all relevant assertions related to each material class of transactions, account balances and disclosures, regardless of the assessment of the risk of material misstatementAgreeing the financial statements, including their accompanying notes, to the underlying accounting recordsExamining material journal entries and other adjustments made during the course of preparing the financial statements

28

SAS No. 111

●

SAS No. 111 provides guidance relating to the auditor’s judgment

about establishing tolerable misstatement for a specific audit procedure and on the application of sampling to tests of controls. This statement amends SAS No. 39, Audit Sampling, to state the following:

When planning a sample for a test of details, the auditor shoulddetermine the tolerable misstatement for the sampleTolerable misstatement is the maximum error in a population (for example, the class of transactions or account balance) that the auditor is willing to accept. This term may be referredto as tolerable error in other standards

29

SAS No. 111 (Cont.)

●

An auditor who applies statistical sampling uses tables or formulas to compute sample size based on these judgments

●

An auditor who applies non-statistical sampling uses professional judgment to relate these factors in determining the appropriate sample size. Ordinarily, this would result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters

30

SAS No. 111 (Cont.)

●

To determine the number of items to be selected in a sample for a particular test of details, the auditor should consider:

Tolerable misstatementExpected misstatementAudit riskCharacteristics of the populationAssessed risk of material misstatement (inherent risk and control risk)Assessed risk for other substantive procedures related to the same assertion

31

Conclusions●

How will these standards impact me?Public accountants:–

Revisions to audit approach–

Increased focus on assessing risks–

Increased procedures relative to internal controls–

DocumentationPrivate accountants–

Opportunity to reduce costs by:•

Preparation of comprehensive documentation of policies and procedures

•

Identification of key internal controls•

Identification of risk exposure•

Preparation of the financial statements and related disclosures–

Increased focus on good corporate governance–

Higher-quality financial reporting–

Business process improvements

32

Lessons For Companies

33

Lessons For Companies

●

Recent events in the financial markets raise many questionsDo companies understand the risk assessment processes?Do people really understand what risks their company faces? How are you dealing with the risk of fraudulent financial reporting?

●

SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Are we so concerned with material misstatement in the financial statements that we’ve lost sight of business risk?

34

What Should Companies Be Doing?Answer the following questions:●

How is risk defined at your company (or, is defined)?●

How effective is your governance process over risk?●

What risks exist today?●

What processes exist to analyze your risk?●

What processes exist to quantify your risk?●

What processes exist to be sure all business units understand your risk profile?

●

What is being done to mitigate your risks?●

What keeps you up at night?

35

The Audit Risk Model●

Audit risk (AR) = Inherent risk (IR) X control risk (CR) X detection risk (DR)

●

AR = IR X CR X DR●

Components of audit risk●

Inherent risk –

Risk existing in balances or transactions(Complexity , judgment, theft, obsolescence)

●

Control risk –

Risk that ICFR isn’t effective●

Detection risk –

Risk that error will not be found

36

Internal Audit Engagement Approach

37

Phase 1: Scoping And Understanding Business Objectives

●

Obtain a clear and comprehensive understanding of your:

Environment

Organization culture

Objectives

The operating model in which the internal control structure mustoperate and be effective to mitigate enterprise risk

●

How is this accomplished?

By interviews with key management personnel

Review of any previous risk assessments

Audit plans, strategic plans, marketing plans, financial budgets, management representation letters and IT plans

38

Phase 2: Risk Assessment

●

Develop an assessment of risks: business, financial, operational, compliance, as well as any others that are pertinent given the organizational objectives

●

Focus is on the areas of high risk and areas that are important to management in the achievement of its business objectives

●

To the extent available, use your internal audit function, as it

is an integral part of keeping management informed of opportunities for efficiencies and improvements in an organization’s internal control structure

39

Phase 3: Develop Audit Plan

●

Once the risk assessment is complete, develop and prepare a document that identifies the potential audit universe

●

This document will identify each audit area, along with an assigned risk rating and recommended audit cycle

●

Develop a current-year audit schedule

●

Ensure that the plan will meet your goals and objectives

40

Phase 4: Execute Audit Plan

●

Begin each audit with a pre-audit meeting

●

Once scope has been set and communicated, develop and execute the test plans

Include detailed testing

Interviewing

Process-mapping

Document review

Observation

●

Throughout this phase, your team should continuously communicate

with management as to progress, potential issues and needs

41

Phase 5: Reporting And Monitoring

During the course of any audit, issues will surely arise. These should be reported in three ways

1.

Continuously communicate with management as your teams progress through each audit

2.

Prepare a summary document that reflects all of the issues noted during the course of the audit

3.

Draft a formal audit report that reflects all previously discussed issues, recommendations and management’s agreed-to action plans

42

New SEC Guidance●

Released in conjunction with proposed Auditing Standard No. 5 (AS-5)

●

Key points in release:

Top-down, risk based approach

Entity-level, anti-fraud and compensating controls become more important

Evaluation of controls based on identification and assessment ofrisk

Subsequent years’ effort will be reduced (focus only on changes in risk)

IT general controls necessary to address financial reporting risks

Evidence (amount of testing) based on risk assessment

43

Documentation Phase

DevelopProject Plan &

Scoping

Document/Updatethe “As Is”Process &Controls

Develop/Update RCMs &

Test Scripts(Identification of

Key Controls)

Remediation

Key ControlTesting

Design Gaps

Operating

Effectiveness G

aps

Operating

Effectiveness G

aps

Remediation will require re-testing of the control after the fix is implemented. It may involve documentation update as well

Planning/

Scoping Phase

Testing Phase

Enterprise Risk AssessmentFraud AssessmentProject scopeProject Plan

Road Map For Compliance

44

Typical areas of concern

•

Non-routine transactions

•

Estimates

•

IT general and application-level controls

•

Depth of testing to substantiate effectiveness of control

•

Judgment on severity of identified weakness

•

Effective PMO

•

Timely remediation of gaps

Some Key Factors To Consider

45

Achieving Effective ICFR The COSO Framework

●

Control environment●

Risk Assessment●

Control activities●

Information and communication●

Monitoring

46

Control Environment

●

Integrity and ethical values●

Board of directors●

Management’s philosophy and operating style●

Organizational structure●

Financial reporting competencies●

Authority and responsibility●

Human resources

47

Risk Assessment

●

Financial reporting objectives

●

Financial reporting risks

●

Fraud risk

48

Control Activities

●

Integration with risk assessment

●

Selection and development of control activities

●

Policies and procedures

●

Information technology

49

Information And Communication

●

Financial reporting information

●

Internal control information

●

Internal communication

●

External communication

50

Monitoring

●

Ongoing and separate evaluations

●

Reporting deficiencies

51

Management To-Dos

●

What could go wrong?

●

Focus on risks that are significant and likely

●

Know the objectives of internal controlsProvide effectiveness and efficiency of operationsEnsure reliable financial reportingComply with laws and regulations

52

Early Experiences From Implementation Of SAS 104-111

53

ImplementationSummer 2006 through Fall 2007

●

Extensive training for auditors●

Over-communication with clientsAwareness: Informing clients of changes in audit standardsIncreased time required to complete the auditIncreased feesOverall impact on the audit

●

Comprehensive revisions to audit methodology

54

Before The Risk Standards

●

SAS 112, Communication of Control DeficienciesRedefined material weaknesses, significant deficiencies and deficiencies, while eliminating the term “reportable condition”Enhanced required communications (need to repeat SD and MW)Required auditors to inform the clients whether the identified control deficiencies are significant deficiencies or material weaknessesHuge impact when combined with new risk-based standards

55

SAS 112 LettersChange in terminology –

Classification of comments

●

Material weakness

–

A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood

that a material misstatement of the financial statements will not be prevented or detected by the entity’s internal controls

56

●

Significant deficiency

–

A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process or report financial data reliably in accordance with generally accepted accounting principles, such that there is more than a remote likelihood

that a misstatement of the entity’s financial statements that is more than inconsequential

will not be prevented or detected by the entity’s internal control

SAS 112 Letters (Cont.)

Change in terminology –

Classification of comments

57

●

Deficiency

–

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis

●

Best practice

–

A matter which you may find of interest –

not related to a control matter (in theory, these comments should address how management can improve their operations and are viewed as “value-

added” comments)

SAS 112 Letters (Cont.)Change in terminology –

Classification of comments

58

SAS 112 Letters (Cont.)

Testing LIFO Unit Counts Significant Deficiency

Observation:

During our testing of the LIFO reserve, we noted several instances where the same itemin multiple inventory locations had a different LIFO unit cost. Most differences in LIFOunit costs had immaterial impacts on the LIFO reserve calculation, and correspondingly,net income. One instance resulted in the misstatement of net income from 2002-2007 byapproximately $580,000. However, the cumulative impact over time was only $60,000.Management has not compared LIFO costs between locations to ensure that the samebase year cost is being utilized.

Business Risk:

The business risk associated with this deficiency is that the LIFO reserve may not befairly stated and, as noted above, income may be misstated.

Recommendation:

We recommend that management implements control procedures as part of its monthlyclosing process to check for similar instances so that any errors are identified andresolved timely.

Management’s Response:

Management will look into implementing procedures during the next fiscal year toimprove the LIFO costing process and verify no errors exist.

(Implemented prescribed formats for management comment letters)

Deficiency communication –

What is the control issue,

what is the risk, what is the recommendation?

59

SAS 104-111 Early Experiences –

Changes In Audits

●

Materiality levels have changed (usually lower)●

Confirmation testing has increasedMore receivable confirmations, for example

●

More extensive understanding of internal controlsObserving, reviewing, corroborating supporting evidenceAdditional time spent with client personnel

●

More extensive understanding of IT controlsObserving, reviewing, corroborating supporting evidenceTime spent understanding the interplay with manual controls

●

Enhanced IT control testing

60

●

More extensive testing of internal controlsManual and computer controlsMore linkage of reliance on controls to other substantive testing

●

Understand entity level controls –

risk impact –

linkage ●

Conveyance of SAS 104-111 to foreign auditors, for them to comply with U. S. GAAS requirements

SAS 104-111 Early Experiences –

Changes In Audits

(Cont.)

61

●

Our auditors are requesting more information regarding:Internal controls – computer and manualVarious procedures – corroborating Client policies – not always written

●

This information must be supported by written internal documentation

Must be maintained by the clientShould not simply be the internal control questionnaires or forms maintained by the outside auditor

SAS 104-111 Early Experiences –

Client Matters

62

●

More formal documentation is required of our clientsJournal entries – documentation of who prepared and who reviewedAccount reconciliations – documentation of who prepared and who reviewedMonthly results – formal documentation of the review of actual results to budgeted results and same month/prior year results

●

Some clients feel that “the playing field has changed,” while other clients “embrace the enhanced audit standards”

SAS 104-111 Early Experiences –

Client Matters

(Cont.)

63

●

“The risk assessment standards had little effect on the design of certain audit procedures”

Auditors are still spending time on areas where risk of misstatement is not greatExample of long-term debt–

Client performs, reviews and documents the reconciliation process, from lender statements to the general ledger

–

Audit team still sends confirmations, tests interest reasonableness and performs other non-value added audit procedures

SAS 104-111 Early Experiences –

Auditor

Issues/Comments

64

●

“The risk assessment standards drive deficiency communication even without audit adjustments”

Client did not document any of their controls, and controls could not be corroborated by the auditorsClient got the answer right in the end; standards indicate the need to communicate deficiencies even without an audit adjustmentLesson per the standard: “It is not appropriate to be lucky vs. good when it involves controls”

SAS 104-111 Early Experiences –

Auditor

Issues/Comments (Cont.)

65

SAS 104-111 Early Experiences –

Auditor

Issues/Comments (Cont.)

Corroboration > inquiry

● In the past, we would inquire as to who had wire transfer authority

●

Now, we would ask to see an official list provided to, or confirmed

by, the bank

●

Many times, we find terminated employees on that list, which we

would not have seen if we depended on inquiry

66

●

Prior audits –

The auditors proposed/prepared journal entries representing proposed corrections of accounting records

Prior to risk assessment standards, maybe no management commentsaddressed this issueThis year, audit team issued a “material weakness” regarding accounting and reporting relating to the proposed corrections of the accounting recordsCorrections are usually an indicator that controls were not functioning correctly or do not exist to keep accounting information correct

SAS 104-111 Early Experiences –

Awkward

Situations With Clients

67

●

Hesitation to provide completed trial balances or schedules

Clients do not want any deficiencies (or significant deficiencies or material weaknesses)

Clients then hold back providing schedules or intentionally omitcertain line items (e.g., income taxes)

Ultimate result is a “debate” as to who identified the need for an adjusting entry

SAS 104-111 Early Experiences –

Awkward

Situations With Clients (Cont.)

68

●

Complex accounting issuesHedge accounting – FAS No. 133Clients not taking responsibility to comply with standardClients ultimately rely on outside auditorsSometimes judgmental issues

●

Extra time spent “debating” classification of commentsClients want “best practices”Control observations are deficiencies

●

Must repeat observations or make reference to prior observations

if still present –

added communication

SAS 104-111 Early Experiences –

Awkward Situations

with Clients (Cont.)

69

Owner-managed businesses● Little or no documentation of entity-level controls● No formal meetings among ownership, management, others● No corporate governing committee

Resulting in no formal documentation of:● Review of financial statements● Approval of significant, unusual transactions● Changes to employment policies

Clients ask:● What is the value of documenting these processes?

SAS 104-111 Early Experiences –

Awkward Situations

with Clients (Cont.)

70

●

Instances where all risk assessments were completed well in advance of year-end

We met with management and those charged with governance to discuss the significant deficiencies

Management adopted all recommendations and made changes in their control system (policies/procedures) prior to year-end and corrected past information, if necessary

We considered this similar to remediation under AS-5, Public Company Audit Requirement

No control-related deficiencies in their SAS 112 letter

SAS 104-111 Early Experiences –

Client Interactions

71

SAS 104-111 Early Experiences -

Conclusions

●

This is not a “blame game”How can auditors help you?The recommendation is the key

●

More communications with your auditorsAnything that will drive more communication with your auditors will be good for you . . . unless you have something to hide

●

Inherent riskCFOs cannot control inherent risk (e.g., economic times, gas at $4.25 per gallon)Must think about controls in place to deter those employees who may be tempted to steal inventory, use manual checks for personal use, etc.

72

●

Win for the clientMore information about their control systemsMore communication with auditors about risks

●

Win for the auditorsMore communication with clientsBetter understanding about control systems

●

Win for the public trustBetter financial informationImproved interim financial reporting due to enhanced controls

SAS 104-111 Early Experiences –

Conclusion

(Cont.)

73

A Look Forward

74

Looking Forward

After SAS 104-111● SAS No. 115

● PCAPB proposal of seven new auditing standards

75

Statement On Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters in an Audit

●

Supersedes SAS No. 112

●

Revisions to definitions to align with AS-5

●

Implications for government audits

●

Management letter change

76

Material Weakness

A deficiency, or combination of deficiencies, in internal control,

such that there is a reasonable possibility1 that a material

misstatement of the entity’s financial statements will not be

prevented or detected and corrected

1FAS No. 5 –

Remote, Reasonably Possible and Probable

77

Significant Deficiency

A deficiency, or a combination of deficiencies, in internal control

that is less severe than a material weakness, yet important enough

to merit attention by those charged with governance

78

Implications For Government Audits

“Not Yet Adopted”

●

Government Auditing Standards●

Circular A-133●

Other similar federal regulations●

Audit guides

Do not implement early SAS No. 115 under thesestandards!

79

Management Letter Changes

“Auditor’s consideration of internal control was not designed to

identify all deficiencies in internal control that might be significant

deficiencies or material weaknesses and therefore, there can be no

assurance that all deficiencies, significant deficiencies or material

weaknesses have been identified”

80

Communication Content●

Best made by report release date

●

No later than 60 days following release date

●

Include statement indicating consideration of internal controls

not designed to identify all SD or MW

Effective Date●

Periods ending on or after Dec. 15, 2009

Earlier implementation is

permitted, except as previously noted

81

PCAOB –

Proposal Of Seven New Standards

●

Proposed Oct. 21, 2008

●

120-day comment period expires Feb. 18, 2009

●

Replaces existing “Interim PCAOB Standards”

●

All proposed standards deal with audit risk

82

PCAOB –

Proposal Of Seven New Standards (Cont.)

The proposed new standards are:

● Audit Risk in an Audit of Financial Statements

● Audit Planning and Supervision

● Identifying and Assessing Risks of Material Misstatement

● The Auditor’s Responses to the Risks of Material Misstatements

● Evaluating Audit Results

● Consideration of Materiality in Planning and Performing an Audit

● Audit Evidence

83

PCAOB –

Proposal Of Seven New Standards (Cont.)

Improvements to audits of public companies

The PCAOB has stated that the proposed standards:●

Would update the existing requirements to take account of the improved

risk-based audit methodologies currently in use by some auditors●

Should enhance integration of the audit of the financial statements with

the audit of internal control over financial reporting, resulting in more

effective audits●

Would integrate the auditor’s current responsibilities for considering

fraud during the audit● Would serve as an improved foundation for future standard-setting●

Reflect the Board’s effort to reduce unnecessary differences with the

risk assessment standards of other auditing standard-setters