Title: Audit Standards Update with Focus on Risk Suite and Impact on IT Audit
1Audit Standards Update with Focus on Risk Suite
and Impact on IT Audit
- Anne Skorija and Mike Billo
- Commonwealth of Pennsylvania
- Department of the Auditor General
2Objectives
- Risk Assessment Standards (SAS 104-111)
- What lessons have we learned during
implementation and External Quality Control
Reviews - Other AICPA Standards including
- Communicating Internal Control Related Matters
Identified in an Audit (SAS 112 vs. 115) - Communication with Those Charged with Governance
(SAS 114)
3Objectives
- GAO Standards
- Government Auditing Standards 2007 revisions
impacting IT Audit (Financial and Performance
Audits) - Federal Information System Controls Audit Manual
(FISCAM) updated February 2009 - Assessing the Reliability of Computer Processed
Data updated July 2009
4SAS 104 - 111
- Risk Assessment Standards
5Risk Assessment Audit Standards
- All issued March 2006
- Effective for audits of Financial Statements for
periods beginning after December 15, 2006 (some
audits already through External QCR) - These standards stress improving the quality and
depth of understanding and effectiveness of
financial statements being audited
6What Risk Assessment Means
- When planning and conducting an audit, the main
focus should be on those areas of higher risk for
material misstatement - Step 1 think about where material misstatements
can occur - Step 2 design audit procedures responsive to
those risks - Step 3 evaluate audit findings and assess
impact on audit opinion
7SAS 104
- Amendment to SAS 1, Codification of Auditing
Standards and Procedures (Due Professional Care
in the Performance of Work) - Reasonable assurance is a key concept that
underlies all aspects of auditing - Clarifies that the term reasonable means a high
level of assurance - Auditors need reasonable assurance that the
Financial Statements are not materially misstated
8SAS 105
- Amendment to SAS 95, Generally Accepted Auditing
Standards - Cleans up language throughout SASs
- must be performed by persons having adequate
technical training and proficiency as an auditor - must obtain sufficient understanding of the
entity, environment, including Internal control - must obtain sufficient appropriate audit evidence
9SAS 106
- Audit Evidence
- Sufficient appropriate audit evidence is basis
for audit opinions - Evidence must be gathered for each of the
relevant F/S assertions - Defines the term appropriate measure of
quality - Auditors should evaluate the nature and
complexity of the use of IT
10SAS 107
- Audit Risk and Materiality in Conducting an Audit
- Risk of Material Misstatement (RMM)
- Inherent Risk
- Control Risk
- Determining Materiality
- What would users consider material?
11SAS 108
- Planning and Supervision
- Auditor may assign a professional possessing IT
skills to inquire - How data and transactions are initiated,
authorized, recorded, processed and reported - How IT controls are designed inspecting systems
documentation, observing operation of IT
controls and planning and performing tests of IT
controls - Consider changes in IT systems when planning
12SAS 109
- Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement - SAS 109 and 110 together supersede SAS 55, 78 and
94 - Includes consideration of the entitys use of
information technology - More on this later
13SAS 110
- Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence
Obtained - Design further audit procedures in response to
risks of material misstatement at the relevant
assertion level. - Make a clear connection between risks/controls
over IT and the extent of testing
14SAS 111
- Amendment to Statement on Auditing Standards No.
39, Audit Sampling - Cleans up Audit Sampling (AU Section 350 SAS
39) to include the Risk Assessment Standards
15SAS 109Greatest Impact on IT Audits
16Key Steps in a Financial Statement Audit
- Assess Risk by performing Risk Assessment
Procedures (SAS 109) - Every financial statement audit you are required
to assess the risks that individual financial
statement assertions are materially misstated. - Including risks associated by IT
- Respond to Risk by designing audit tests that
address those risks (SAS 110)
17Emphasis is on Transactions
- Information technology encompasses automated
means of originating, processing, storing and
communicating information - An entitys use of IT may be extensive, however,
the auditor is primarily interested in the
entity's use of IT to initiate, authorize,
record, process, and report transactions or other
financial data
18Audit Risk
- Risk that the financial statements are materially
misstated - and the auditor fails to detect such a
misstatement or appropriately modify the audit
opinion - Reduce audit risk by
- Assessing the risk of material misstatement
- Based on that assessment, design and perform
overall responses and further audit procedures
that reduce audit risk to a low level.
19Significant Classes of Transactions
- Transactions that are important to our assessment
of the risk of material misstatement - Therefore, we need to design audit procedures to
test these transactions by assertion
(Occurrence Completeness Accuracy Cutoff
Classification ) - For example Personal Income Tax transactions may
be a significant class of transactions to a State
20Material Account Balances
- Account balance on the balance sheet is important
to our assessment of the risk of material
misstatement - Therefore we need to design audit procedures to
test the F/S assertions relevant to this account
balance (Existence Rights and Obligations
Completeness Valuation and Allocation) - Example Long-term Debt may be a material balance
to a states balance sheet
21Internal Control Components
- Control Environment
- sets the tone
- Entitys risk assessment
- identification and analysis of relevant risks
- Information and Communication systems
- support the identification, capture and exchange
of information - Control activities
- policies and procedures that help ensure that
management directives are carried out - Monitoring
- Asses quality of internal controls over time
22Obtain an Understanding
- The auditor should understand the five components
of internal control in order to assess the risk
of material misstatement which will assist in the
following - Identifying potential misstatements
- Considering issues that affect the risks of
material misstatement - Assisting in the design tests of controls and
substantive procedures
23Whats New in SAS 109
- Need to establish a clear link between
- Audit risk
- Significant classes of transactions/material
balances - Financial Statement Assertions
- AND
- IT Applications and Systems
24Computer Controls
- General Controls
- Access (logical and physical)
- Change management
- Operations
- Application Controls
25Goal of Computer Control Reviews
- Gain an adequate understanding of the computer
controls document that understanding so that a
clear link exists between the controls that have
been implemented to the significant financial
statement assertions, i.e., significant account
balances and significant classes of transactions
26SAS 109Steps to Implementation
27Implementing the Risk Assessment Standards
- Training
- IT Auditors trained to think like financial
auditors - Risk, material balances, significant classes of
transactions - Financial Auditors learning to better identify
the applications/systems that are the sources of
the Financial Statements - Communications
- IT Auditors and Financial Auditors meeting to
compare applications vs. transactions/balances - Lesson learned Do Not Assume
28Assess the Situation
- New staff with IT backgrounds
- First year back involved with statewide financial
audit - Simultaneous implementation with financial
auditors
29Training of our staff
- Review of the CAFR and Basic Financial Statements
- Interplay of opinion units and materiality
- Significant Classes of Transactions
- Material Balances
- Audit Risk Risk of Material Misstatement
30Training of our staff
- Risk Assessment Standards
- Risk and materiality in a financial statement
audit - How a financial statement audit differs from a
performance audit - Focus on SAS 109
- Five components of internal control
31Agency Entrance Conferences
- Training auditees providing background
information on risk assessment standards and new
reporting requirements (SAS 112) - Focus on services provided by IT to the agency
What do you do? What transactions do your
applications create? - Take away list of applications and transactions
- Start to make the connection between
systems/applications and dollars
32Meeting with Financial Audit Team
- Discuss the list of applications and transactions
with the Financial Audit Teams (each agency) - Determine which applications process
- Significant classes of transactions, or
- Material financial statement balances
- Are we missing any applications?
- E.g., a certain educational subsidy was not
processed by the Department of Education but
rather processed by another agency on a Unix box
across town
33Summary Memo
- List of applications and systems included in our
controls review - Strategy for grouping systems to efficiently
review controls - Common control can be reviewed together i.e.,
common use of Active Directory for user
authentication or Endeavor to manage change - Level of procedures to be performed
- Walkthrough of one vs. test of a sample
- Are we missing any applications?
- Confirm again with financial auditors
34IT Audit Procedures
- Documenting operational effectiveness of controls
placed in operation - Walkthroughs in four key areas
- Manage change
- Logical access
- Physical access
- Computer operations
35SAS 109 New Areas of Interest
- Manual controls that depend on IT (paragraph 84)
- Error correction procedures (paragraph 85)
- Controls over the financial reporting process
(paragraph 86) - Enter transaction totals into the general ledger
(or equivalent record). - Journal entries and recurring journal entries
- Combine into financial statements
36Other New SASs
- SAS 112 Communicating Internal Control Related
Matters Identified in an Audit (updated by SAS
115) - SAS 113 Omnibus Statement on Auditing Standards
2006 - SAS 114 The Auditors Communication With Those
Charged With Governance
37Communicating Internal Control Matters Identified
in an Audit
- Audit Requirements
- Financial Audits SAS 112 GAO 5.10-5.14
- Performance Audits GAO 8.18 8.20
- SAS 115 effective for audits of financial
statements for periods ending on or after
December 31, 2009 - OMB Circular A133 still requires SAS 112 language
for FYE 6/30/09 audits - Yellow Book still uses SAS 112 language
38SAS 112 vs. 115
- New definition of Significant Deficiency
- SAS 112
- adversely affect the entitys ability to
initiate, authorize, record, process or report
financial data and - More than a remote likelihood of misstatement
- SAS 115
- Deficiency or combination of deficiencies in
internal control that is less severe than a
material weakness, yet important enough to merit
attention by those charged with governance.
39SAS 112 vs. 115
- Change to definition of Material Weakness
- SAS 112
- More than a remote likelihood that a material
misstatement of the financial statements will not
be prevented or detected - SAS 115
- Reasonable possibility that a material
misstatement of the financial statements will not
be prevented, or detected and corrected on a
timely basis
40Those Charged With Governance (TCWG)
- Audit Requirements
- Financial Audits SAS 114 Communication
requirements in SAS 54, 74, 99, 112 GAO
4.06-4.08, 5.44 - Performance Audits GAO 7.46 -7.49, 8.05, 8.07,
8.43, - Auditors should document
- the process used to identify TCWG the
conclusions reached for the appropriate
individuals to receive the required
communications and - evidence that communication with TCWG occurred.
41Recent GAO Guidance
42Government Auditing Standards
- Impact on IT Audits in 2007 revision
- Chapter 4 Fieldwork Standards for Financial
Audits - Covered by AICPA Auditing Standards
- Chapter 7 Standards for Performance Audits
- Some new language
432007 Yellow Book
- IT impacts performance audits in three ways
(paragraph 7.27) - Information systems controls as part of internal
controls - Information systems as the source of reports and
data files (used as evidence and/or used to
support report) - Evaluation of information systems controls as a
major part of an audit objective
44Categories of General Controls in 2007 Yellow Book
- 2007 Yellow Book lists general controls under the
following categories - Security management
- Logical and physical access
- Configuration management
- Segregation of duties
- Contingency planning
- Categories correspond to FISCAM 2009
45FISCAM
- Federal Information System Controls Audit Manual
(FISCAM) - Revised February 2009
- Expanded Purpose provide guidance for GAGAS
Audits - Conforms with 2007 Yellow Book and AICPA auditing
standards
46Business Process Application Controls
- Categories in both 2007 Yellow Book and 2009
FISCAM - Completeness
- Accuracy
- Validity
- Confidentiality
- Availability
47Assessing the Reliability of Computer Processed
Data July 2007
- Designed to be consistent with 2007 Yellow Book
- Replaces the 2002 Assessing the Reliability of
Computer-Processed Data - Key Points
- Conducting only the amount of work necessary to
determine whether the data are reliable enough - Maximizing professional judgment
48Assessing the Reliability of Computer Processed
Data July 2007
49Questions/Comments Thank you!