Audit Standards Update with Focus on Risk Suite and Impact on IT Audit

1
Audit Standards Update with Focus on Risk Suite
and Impact on IT Audit

• Anne Skorija and Mike Billo
• Commonwealth of Pennsylvania
• Department of the Auditor General

2
Objectives

• Risk Assessment Standards (SAS 104-111)
• What lessons have we learned during
  implementation and External Quality Control
  Reviews
• Other AICPA Standards including
• Communicating Internal Control Related Matters
  Identified in an Audit (SAS 112 vs. 115)
• Communication with Those Charged with Governance
  (SAS 114)

3
Objectives

• GAO Standards
• Government Auditing Standards 2007 revisions
  impacting IT Audit (Financial and Performance
  Audits)
• Federal Information System Controls Audit Manual
  (FISCAM) updated February 2009
• Assessing the Reliability of Computer Processed
  Data updated July 2009

4
SAS 104 - 111

• Risk Assessment Standards

5
Risk Assessment Audit Standards

• All issued March 2006
• Effective for audits of Financial Statements for
  periods beginning after December 15, 2006 (some
  audits already through External QCR)
• These standards stress improving the quality and
  depth of understanding and effectiveness of
  financial statements being audited

6
What Risk Assessment Means

• When planning and conducting an audit, the main
  focus should be on those areas of higher risk for
  material misstatement
• Step 1 think about where material misstatements
  can occur
• Step 2 design audit procedures responsive to
  those risks
• Step 3 evaluate audit findings and assess
  impact on audit opinion

7
SAS 104

• Amendment to SAS 1, Codification of Auditing
  Standards and Procedures (Due Professional Care
  in the Performance of Work)
• Reasonable assurance is a key concept that
  underlies all aspects of auditing
• Clarifies that the term reasonable means a high
  level of assurance
• Auditors need reasonable assurance that the
  Financial Statements are not materially misstated

8
SAS 105

• Amendment to SAS 95, Generally Accepted Auditing
  Standards
• Cleans up language throughout SASs
• must be performed by persons having adequate
  technical training and proficiency as an auditor
• must obtain sufficient understanding of the
  entity, environment, including Internal control
• must obtain sufficient appropriate audit evidence

9
SAS 106

• Audit Evidence
• Sufficient appropriate audit evidence is basis
  for audit opinions
• Evidence must be gathered for each of the
  relevant F/S assertions
• Defines the term appropriate measure of
  quality
• Auditors should evaluate the nature and
  complexity of the use of IT

10
SAS 107

• Audit Risk and Materiality in Conducting an Audit
• Risk of Material Misstatement (RMM)
• Inherent Risk
• Control Risk
• Determining Materiality
• What would users consider material?

11
SAS 108

• Planning and Supervision
• Auditor may assign a professional possessing IT
  skills to inquire
• How data and transactions are initiated,
  authorized, recorded, processed and reported
• How IT controls are designed inspecting systems
  documentation, observing operation of IT
  controls and planning and performing tests of IT
  controls
• Consider changes in IT systems when planning

12
SAS 109

• Understanding the Entity and Its Environment and
  Assessing the Risks of Material Misstatement
• SAS 109 and 110 together supersede SAS 55, 78 and
  94
• Includes consideration of the entitys use of
  information technology
• More on this later

13
SAS 110

• Performing Audit Procedures in Response to
  Assessed Risks and Evaluating the Audit Evidence
  Obtained
• Design further audit procedures in response to
  risks of material misstatement at the relevant
  assertion level.
• Make a clear connection between risks/controls
  over IT and the extent of testing

14
SAS 111

• Amendment to Statement on Auditing Standards No.
  39, Audit Sampling
• Cleans up Audit Sampling (AU Section 350 SAS
  39) to include the Risk Assessment Standards

15
SAS 109Greatest Impact on IT Audits
16
Key Steps in a Financial Statement Audit

• Assess Risk by performing Risk Assessment
  Procedures (SAS 109)
• Every financial statement audit you are required
  to assess the risks that individual financial
  statement assertions are materially misstated.
• Including risks associated by IT
• Respond to Risk by designing audit tests that
  address those risks (SAS 110)

17
Emphasis is on Transactions

• Information technology encompasses automated
  means of originating, processing, storing and
  communicating information
• An entitys use of IT may be extensive, however,
  the auditor is primarily interested in the
  entity's use of IT to initiate, authorize,
  record, process, and report transactions or other
  financial data

18
Audit Risk

• Risk that the financial statements are materially
  misstated
• and the auditor fails to detect such a
  misstatement or appropriately modify the audit
  opinion
• Reduce audit risk by
• Assessing the risk of material misstatement
• Based on that assessment, design and perform
  overall responses and further audit procedures
  that reduce audit risk to a low level.

19
Significant Classes of Transactions

• Transactions that are important to our assessment
  of the risk of material misstatement
• Therefore, we need to design audit procedures to
  test these transactions by assertion
  (Occurrence Completeness Accuracy Cutoff
  Classification )
• For example Personal Income Tax transactions may
  be a significant class of transactions to a State

20
Material Account Balances

• Account balance on the balance sheet is important
  to our assessment of the risk of material
  misstatement
• Therefore we need to design audit procedures to
  test the F/S assertions relevant to this account
  balance (Existence Rights and Obligations
  Completeness Valuation and Allocation)
• Example Long-term Debt may be a material balance
  to a states balance sheet

21
Internal Control Components

• Control Environment
• sets the tone
• Entitys risk assessment
• identification and analysis of relevant risks
• Information and Communication systems
• support the identification, capture and exchange
  of information
• Control activities
• policies and procedures that help ensure that
  management directives are carried out
• Monitoring
• Asses quality of internal controls over time

22
Obtain an Understanding

• The auditor should understand the five components
  of internal control in order to assess the risk
  of material misstatement which will assist in the
  following
• Identifying potential misstatements
• Considering issues that affect the risks of
  material misstatement
• Assisting in the design tests of controls and
  substantive procedures

23
Whats New in SAS 109

• Need to establish a clear link between
• Audit risk
• Significant classes of transactions/material
  balances
• Financial Statement Assertions
• AND
• IT Applications and Systems

24
Computer Controls

• General Controls
• Access (logical and physical)
• Change management
• Operations
• Application Controls

25
Goal of Computer Control Reviews

• Gain an adequate understanding of the computer
  controls document that understanding so that a
  clear link exists between the controls that have
  been implemented to the significant financial
  statement assertions, i.e., significant account
  balances and significant classes of transactions

26
SAS 109Steps to Implementation
27
Implementing the Risk Assessment Standards

• Training
• IT Auditors trained to think like financial
  auditors
• Risk, material balances, significant classes of
  transactions
• Financial Auditors learning to better identify
  the applications/systems that are the sources of
  the Financial Statements
• Communications
• IT Auditors and Financial Auditors meeting to
  compare applications vs. transactions/balances
• Lesson learned Do Not Assume

28
Assess the Situation

• New staff with IT backgrounds
• First year back involved with statewide financial
  audit
• Simultaneous implementation with financial
  auditors

29
Training of our staff

• Review of the CAFR and Basic Financial Statements
• Interplay of opinion units and materiality
• Significant Classes of Transactions
• Material Balances
• Audit Risk Risk of Material Misstatement

30
Training of our staff

• Risk Assessment Standards
• Risk and materiality in a financial statement
  audit
• How a financial statement audit differs from a
  performance audit
• Focus on SAS 109
• Five components of internal control

31
Agency Entrance Conferences

• Training auditees providing background
  information on risk assessment standards and new
  reporting requirements (SAS 112)
• Focus on services provided by IT to the agency
  What do you do? What transactions do your
  applications create?
• Take away list of applications and transactions
• Start to make the connection between
  systems/applications and dollars

32
Meeting with Financial Audit Team

• Discuss the list of applications and transactions
  with the Financial Audit Teams (each agency)
• Determine which applications process
• Significant classes of transactions, or
• Material financial statement balances
• Are we missing any applications?
• E.g., a certain educational subsidy was not
  processed by the Department of Education but
  rather processed by another agency on a Unix box
  across town

33
Summary Memo

• List of applications and systems included in our
  controls review
• Strategy for grouping systems to efficiently
  review controls
• Common control can be reviewed together i.e.,
  common use of Active Directory for user
  authentication or Endeavor to manage change
• Level of procedures to be performed
• Walkthrough of one vs. test of a sample
• Are we missing any applications?
• Confirm again with financial auditors

34
IT Audit Procedures

• Documenting operational effectiveness of controls
  placed in operation
• Walkthroughs in four key areas
• Manage change
• Logical access
• Physical access
• Computer operations

35
SAS 109 New Areas of Interest

• Manual controls that depend on IT (paragraph 84)
• Error correction procedures (paragraph 85)
• Controls over the financial reporting process
  (paragraph 86)
• Enter transaction totals into the general ledger
  (or equivalent record).
• Journal entries and recurring journal entries
• Combine into financial statements

36
Other New SASs

• SAS 112 Communicating Internal Control Related
  Matters Identified in an Audit (updated by SAS
  115)
• SAS 113 Omnibus Statement on Auditing Standards
  2006
• SAS 114 The Auditors Communication With Those
  Charged With Governance

37
Communicating Internal Control Matters Identified
in an Audit

• Audit Requirements
• Financial Audits SAS 112 GAO 5.10-5.14
• Performance Audits GAO 8.18 8.20
• SAS 115 effective for audits of financial
  statements for periods ending on or after
  December 31, 2009
• OMB Circular A133 still requires SAS 112 language
  for FYE 6/30/09 audits
• Yellow Book still uses SAS 112 language

38
SAS 112 vs. 115

• New definition of Significant Deficiency
• SAS 112
• adversely affect the entitys ability to
  initiate, authorize, record, process or report
  financial data and
• More than a remote likelihood of misstatement
• SAS 115
• Deficiency or combination of deficiencies in
  internal control that is less severe than a
  material weakness, yet important enough to merit
  attention by those charged with governance.

39
SAS 112 vs. 115

• Change to definition of Material Weakness
• SAS 112
• More than a remote likelihood that a material
  misstatement of the financial statements will not
  be prevented or detected
• SAS 115
• Reasonable possibility that a material
  misstatement of the financial statements will not
  be prevented, or detected and corrected on a
  timely basis

40
Those Charged With Governance (TCWG)

• Audit Requirements
• Financial Audits SAS 114 Communication
  requirements in SAS 54, 74, 99, 112 GAO
  4.06-4.08, 5.44
• Performance Audits GAO 7.46 -7.49, 8.05, 8.07,
  8.43,
• Auditors should document
• the process used to identify TCWG the
  conclusions reached for the appropriate
  individuals to receive the required
  communications and
• evidence that communication with TCWG occurred.

41
Recent GAO Guidance
42
Government Auditing Standards

• Impact on IT Audits in 2007 revision
• Chapter 4 Fieldwork Standards for Financial
  Audits
• Covered by AICPA Auditing Standards
• Chapter 7 Standards for Performance Audits
• Some new language

43
2007 Yellow Book

• IT impacts performance audits in three ways
  (paragraph 7.27)
• Information systems controls as part of internal
  controls
• Information systems as the source of reports and
  data files (used as evidence and/or used to
  support report)
• Evaluation of information systems controls as a
  major part of an audit objective

44
Categories of General Controls in 2007 Yellow Book

• 2007 Yellow Book lists general controls under the
  following categories
• Security management
• Logical and physical access
• Configuration management
• Segregation of duties
• Contingency planning
• Categories correspond to FISCAM 2009

45
FISCAM

• Federal Information System Controls Audit Manual
  (FISCAM)
• Revised February 2009
• Expanded Purpose provide guidance for GAGAS
  Audits
• Conforms with 2007 Yellow Book and AICPA auditing
  standards

46
Business Process Application Controls

• Categories in both 2007 Yellow Book and 2009
  FISCAM
• Completeness
• Accuracy
• Validity
• Confidentiality
• Availability

47
Assessing the Reliability of Computer Processed
Data July 2007

• Designed to be consistent with 2007 Yellow Book
• Replaces the 2002 Assessing the Reliability of
  Computer-Processed Data
• Key Points
• Conducting only the amount of work necessary to
  determine whether the data are reliable enough
• Maximizing professional judgment

48
Assessing the Reliability of Computer Processed
Data July 2007
49
Questions/Comments Thank you!