Catherine Bruder, CPA.CITP, CISA, CISM

1
Risk Based AuditingUnderstanding and
Implementing SASs 103-112

• Catherine Bruder, CPA.CITP, CISA, CISM
• Moore Stephens Doeren Mayhew
• September 25, 2007

2
Objectives

• Provide a strategic overview of the eight new
  Statements of Auditing Standards
• (SAS 104 through SAS 112)
• Develop an understanding of the new RBA standards

3
Agenda

• Key Concepts
• Audit Planning
• Understanding the Entity, its Environment and
  Risk Assessment
• Understanding the Entity, its Environment and
  Internal Control
• Designing and Performing Further Audit Procedures
• Documentation, Evaluation and Reporting
• The Ninth New Standard
• Questions????

4
Overview

• Effective for Fiscal Years Beginning on or after
  December 15, 2006
• Significant Implications to the Audit Process
• Modifies Standards of Fieldwork
• Eight New Statements of Auditing Standards (SAS
  104 111)
• The Ninth New SAS and What it Means to You

5
The New SASs

• 104 Due Professional Care
• 105 Amendment to SAS 95, GAAS
• 106 Audit Evidence
• 107 Audit Risk and Materiality
• 108 Planning and Supervision
• 109 Understanding the Entity and its environment
  and assessing the risks of Material Misstatement
• 110 Performing Audit Procedures in response to
  assessed risks and evaluating the audit evidence
  obtained
• 111 Amendment to SAS 39, Audit Sampling

Effective Dates 104-111 Effective for audits of
F/S for periods beginning on or after 12-15-06.
6
Eight New Standards

• SAS No. 104
• Amendment to Statement On Auditing Standards No.
  1, Due Professional Care in the Performance of
  Work
• SAS No. 105
• Amendment to Statement on Auditing Standards No.
  95, Generally Accepted Auditing Standards

7
Eight New Standards

• SAS No. 106
• Audit Evidence
• SAS No. 107
• Audit Risk and Materiality in Conducting an Audit
• SAS No. 108
• Planning and Supervision
• SAS No. 109
• Understanding the Entity and Its Environment and
  Assessing the Risks of Material Misstatement

8
Eight New Standards

• SAS No. 110, Performing Audit Procedures in
  Response to Assessed Risks and Evaluating the
  Audit Evidence Obtained
• SAS No. 111, Amendment to Statement on Auditing
  Standards No. 39, Audit Sampling

9
Standards of Fieldwork
Gather Information
Evaluate Assess Risks
Design Perform Audit Procedures Based Risks
Evaluate Audit Evidence Obtained
Reach Document Conclusions
10
Standards of Fieldwork
Gather Information
Historical Approach
Evaluate Assess Risks
Design Perform Audit Procedures Based Risks
Evaluate Audit Evidence Obtained
Reach Document Conclusions
11
New Risk Assessment Process

• Intended to change how an audit is performed
• Non-linear and iterative
• Continuous process throughout audit
• Gathering
• Updating
• Analyzing

12
Risk Assessment Process
13
Audit Process Implications

• Enhanced application of audit risk model
• More in-depth understanding of the entity and its
  environment including its internal control (and
  Information Technology controls!)
• More rigorous assessment of risks of material
  misstatement
• Better linkage between the assessed risk and the
  nature, timing, and extent of audit procedures

14
Key Concepts
15
Audit Risk Model

• AR (IR x CR) x DR
• RMM
• Objective Reduce Audit Risk to Low

16
Audit Risk Model

• AR RMM x DR

• AR Audit Risk is the risk that the financial
  statements are materially misstated and the audit
  fails to detect such a misstatement
• RMM Risk of Material Misstatement is the risk
  that an assertion, account, or disclosure item
  contains a material misstatement
• RMM includes Inherent Risk (IR) and Control Risk
  (CR)
• DR Detection Risk is the risk that the auditor
  will not detect material misstatements
• A function of the nature, timing and
  effectiveness of audit procedures and how the
  auditor responds at both the financial statement
  and the assertion level

17
Audit Planning
18
Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement (SAS
109)

• Conduct a brainstorming session
• Partners too!
• Can be done with fraud planning meeting (SAS 99)
• Documenting expectations in the analytical review
  planning process
• Evaluate the entity including its internal
  control
• Including IT controls

19
Due Professional Care in the Performance of Work
(SAS 104)

• Reasonable Assurance Clarified
• A high level of assurance about whether the
  financial statements are free of material
  misstatement
• whether caused by error or fraud
• Not an absolute level of assurance
• Audit must plan and perform the audit in such a
  way to obtain sufficient appropriate audit
  evidence to reduce audit risk to a low level

20
Generally Accepted Auditing Standards (SAS 105)

• Auditor technical training and proficiency
• Planning must be performed
• Understanding of the entity and its environment
• Governance
• Internal control

21
Planning and Supervision (SAS 108)

• Must define
• Overall audit strategy
• Audit plan
• Extent of involvement of specialized auditor -
  such as an IT auditor

22
Generally Accepted Auditing Standards (SAS 105)

• Assess the risk of material misstatement of the
  financial statements whether due to error or
  fraud
• Risk of Material Misstatement
• Combination of Inherent Risk and Control Risk
• Sufficient, appropriate, documented evidence
• Begins in planning the audit

23
Understanding the Entity and Its Internal Control
(SAS 105)

• Previously, just a part of planning
• Now, part of assessing the risk of material
  misstatement which begins in planning
• The understanding is part of the audit evidence
  that supports your opinion on the financial
  statements

24
Understanding the Entity, its Environment and
Risk Assessment
25
Audit Risk Materiality in Conducting an Audit
(SAS 107)

• Auditor must consider Audit Risk and determine
  materiality
• Audit Risk (AR)
• Risk of Material Misstatement (RMM) and Detection
  Risk (DR)
• AR RMM X DR
• Risk of Material Misstatement (RMM)
• Inherent Risk (IR)
• Control Risk (CR)

26
Audit Risk Materiality in Conducting an Audit
(SAS 107)
AR ( IR x CR) x DR RMM

• Auditor must consider Audit Risk and determine
  materiality
• Audit Risk (AR)
• Risk of Material Misstatement (RMM) and Detection
  Risk (DR)
• AR RMM X DR
• Risk of Material Misstatement (RMM)
• Inherent Risk (IR)
• Control Risk (CR)

27
Risk of Material Misstatement

• Sources of risks
• Error
• Fraud

• Levels of risks
• Financial Statement
• Assertion

28
Audit Risk Materiality in Conducting an Audit
(SAS 107)

• Inherent Risk
• Risk assuming there are no controls
• Control Risk MUST BE ASSESSED!!!
• Risk a material misstatement will not be
  prevented or detected by internal control
• No longer able to default to maximum and not
  evaluate the control environment
• Control risk must also be determined for IT-
  based controls.
• Detection Risk
• Financial statement level
• Assertion level

29
Audit Risk Materiality in Conducting an Audit
(SAS 107)

• Documentation required of risk assessment and
  resulting materiality for
• Each Account
• Class of Accounts or Disclosures
• Relevant Assertions
• All known and likely misstatements should be
  reported to management
• Auditor should request management to respond
  appropriately

30
Risk of Material Misstatement

• Misstatements can result from errors or fraud
• The RMM consists of two components
• Inherent Risk is the susceptibility that a
  relevant assertion could be misstated assuming
  that there are no other related controls. The
  auditor should consider the risk of misstatement
  individually as well as in aggregate with other
  misstatements, assuming there are no related
  controls
• Control Risk is the risk that a material
  misstatement will not be detected or prevented by
  the entitys internal control on a timely basis.
  The auditor must consider the risk of
  misstatement individually and in aggregate with
  other misstatement

31
Risk of Material Misstatement

• The RMM may reside at either of the following
• Financial statement level - risks potentially
  affect many different account assertions and
  require an overall approach
• Assertion level risks are related to one or
  more assertions in an account or several
  accounts. Assertions include
• Occurrence/Existence Rights and Obligations
• Completeness Cut-off
• Classification Accuracy/Valuation/Allocation

32
Financial Statement Assertions

• There should be a clear link between the
  financial statement assertions and the risk
  assessment process
• Assertions are managements implicit or explicit
  representations regarding the recognition,
  measurement, presentation, and disclosure of
  information in the financial statements and
  related disclosures
• Assertions fall into three categories
• 1. Classes of transactions
• 2. Account balances
• 3. Presentation and disclosure

33
How Assertions are Used in the Audit

• To establish a clear link between the auditors
  assessment of the RMM and further audit
  procedures, the risk assessment procedures should
  be performed at the assertion level
• Tests of controls and substantive audit
  procedures are directed at specific assertions

34
Understanding the Entity, its Environment and
Internal Control
35
Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement (SAS
109)

• Evaluate the entity including its internal
  control
• Internal control as a process
• Understanding internal control is required on ALL
  engagements
• Evaluate control design for preventing, detecting
  and correcting material misstatements
• Determining if a control has been implemented

36
Design of Internal Controls (SAS 109)

• Evaluating internal control design involves
  considering whether the control, individually or
  in combination with others, is capable of
  effectively preventing or detecting and
  correcting material misstatements

37
Implementation of Internal Controls (SAS 109)

• Every audit should also determine whether
  controls have been implemented over all relevant
  assertions related to each material account
  balance, class of transactions, or disclosures
• Implemented means that the control exists and the
  entity is using it

38
Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement (SAS
109)

• Direct linkage of the understanding of the entity
  and its internal control with the assessment of
  risk
• Previously, understanding internal control was
  part of planning the audit
• Operational effectiveness of the internal control
  is required if you plan on relying upon internal
  control to modify procedures
• Significant risks defined
• Increased documentation requirements

39
Understanding the Entity and Assessing the RMM
(SAS 109)

• Auditor should
• Evaluate the design of the entitys controls and
  determine whether the controls are adequate and
  have been implemented
• Consider whether any of the assessed risks
  require special audit consideration or for which
  substantive procedures alone do not provide
  sufficient appropriate audit evidence

40
Understanding the Entity and Assessing the RMM
(SAS 109)

• The auditor should use a combination of methods
  to gather information such as
• Obtaining and reading written policies and
  procedures
• Survey questionnaires
• Preparation of flowcharts to depict the flow of
  financial information
• Walk-through reviews of processes, data centers,
  network closets, and other observable aspects of
  the IT infrastructure
• Interviews

Interview alone is not sufficient evidence
41
Operating Effectiveness

• Effective operation of controls is different from
  their design and implementation
• The operating effectiveness of controls involves
  the consideration of
• How controls were applied during the audit period
• The consistency with which they were applied
• By whom they were applied
• To assess the operating effectiveness of
  controls, tests of controls should be performed

Tests of Controls are not mandatory
42
Designing and Performing Further Audit
Procedures
43
Generally Accepted Auditing Standards (SAS 105)

• Replaces tests to be performed with further
  audit procedures
• Further audit procedures includes
• Test of controls and substantive tests
• Risk assessment procedures
• Audit evidence vs. evidential matter

44
Audit Evidence (SAS 106)

• Audit evidence
• All information used by the auditor in concluding
• Different evidence provides more or less validity
• Sufficient, appropriate audit evidence

45
Audit Evidence (SAS 106)

• Defines relevant audit assertions
• Re-categorizes assertions
• Classes of transactions
• Account balances
• Presentation and disclosure
• expressed clearly understandable!
• Relevant is meaningful as to whether an account
  is fairly stated

46
Audit Evidence (SAS 106)

• Varying reliability
• Ties risk assessment procedures in as audit
  evidence
• Risk assessment procedures
• Inquiry
• limited evidence of internal control design and
  implementation
• Analytical procedures
• Observation and inspection

47
Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence
Obtained (SAS 110)

• The auditor should design and perform further
  audit procedures to respond to the assessed RMM
  at the relevant assertion level, which may
  include
• Tests of controls
• Substantive procedures
• SAS 110 provides guidance on matters the auditor
  should consider in determining the nature,
  timing, and extent of such audit procedures

48
Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence
Obtained (SAS 110)
49
Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence
Obtained (SAS 110)

• Requires documentation of assessed risks and
  further audit procedures
• Provides guidance on use of Computer Assisted
  Audit Techniques (CAATs) to test for completeness
• Encourages entities to document controls for use
  in the audit
• Encourages auditors to test controls, especially
  IT controls because of the inherent consistency
  of IT processing
• Use of SAS 70s

50
Audit Sampling (SAS 111)

• Requires auditors to set tolerable misstatements
  for each account, account class, disclosures and
  related tests
• The aggregate of these individual misstatements
  should be compared to the financial statements
  calculated tolerable misstatement to determine if
  there is any aggregate misstatement.

51
Risk Assessment Process
No
Yes
Is Audit Risk Sufficiently Low?
52
Documentation, Evaluation and Reporting
53
Key Provisions (SAS 107)

• Assessed risks and the basis for those
  assessments should be documented
• The auditor should request that management
  respond appropriately when misstatements (known
  or likely) are identified during the audit

54
Documentation Should

• Enable an experienced auditor with no previous
  connection to the audit to understand
• Nature, timing, and extent of procedures
  performed
• Results of procedures and evidence obtained
• Conclusion on significant matters
• Accounting records agree or reconcile to
  financial statements
• Include identifying characteristics!
• Document everything that is done!

55
The Ninth New Standard

• SAS 112

Effective 12/15/2006!!!
56
The Ninth New Standard (SAS 112)

• Communicating Internal Control Matters
  Identified in an Audit
• Significant Deficiencies
• A control deficiency or combination of control
  deficiencies that adversely affects the ability
  to initiate, authorize, record, process of report
  financial data
• More than inconsequential
• Not prevented or detected

57
The Ninth New Standard

• Material Weaknesses
• A significant deficiency or combinations of
  significant deficiencies
• More than a remote likelihood that a material
  misstatement of the financial statements
• Not be prevented or detected
• Must be in writing!

58

• Questions???????