SlideShare a Scribd company logo

Sas 104 111 Impact On Auditors

H
himetro

This document provides an overview of SAS 104-111 and what they mean for the audit profession. It discusses the key changes and requirements of each standard, including a greater focus on risk assessment, better understanding of clients' internal controls, and clearly linking risk assessment to the nature and extent of audit procedures. It also provides tips for auditors on implementing the risk-based approach and for clients on preparing for an audit under the new standards to make the process more efficient.

1 of 70
Detailed Information on the SAS 104-111 AND what it means to the audit profession Maryland Association of Nonprofits June 11, 2008
What, Why, How What they are, what they mean Why we have them How we implement them Warnings 2 www.metrometro.com
I’m up to my *&?! In SASs 104 “Due Professional Care” Effective Dates: 105 Amendment to SAS 95, GAAS 104-111 Effective for audits of F/S for periods beginning on 106 Audit Evidence or after 12-15-06. 107 Audit Risk and Materiality 108 Planning and Supervision 109 Understanding the Entity and its environment and assessing the risks of Material Misstatement 110 Performing Audit Procedures in response to assessed risks and evaluating the audit evidence obtained 111 Amendment to SAS 39, Audit Sampling 3 www.metrometro.com
Risk Assessment Standards Enhances the auditor’s application of the audit risk model: AR = [CR x IR] x DR [CR x IR] = RMM AR = Audit Risk CR = Control Risk IR = Inherent Risk DR =Detection Risk RMM = risk of material misstatement 4 www.metrometro.com
Why? (Enron, Worldcom, etc.) Improve implementation of the Audit Risk Model – Better understanding of internal controls Better assessment of the Risk of Material Misstatement (RMM) Determine audit procedures based on the response to RMM Improve the quality and consistency of Audits Help auditors discover fraud – even though we are not engaged to discover fraud 5 www.metrometro.com
Lynford Graham, CPA, PhD, CFE, August 2007 Interview California CPA As a former member of the AICPA’s Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. http://goliath.ecnext.com/coms2/gi_0199- 6920795/Audit-awareness-SAS-Nos-104.html 6 www.metrometro.com
The following are key points regarding the goals and objectives of having these new standards: Concerns that audits were becoming increasingly risk-based (a good thing), but that there was a lack of guidance on how to go about the risk assessment process (not a good thing). 7 www.metrometro.com
Lynford Graham The trend towards increased reliance upon the seemingly improved and automated systems (especially for larger entities) and the internal audit resources of these entities (large entities, not relevant for small businesses). 8 www.metrometro.com
Lynford Graham The standards mostly clarify the intent of existing standards. 9 www.metrometro.com
Lynford Graham There are only a few “new” concepts such as the identification of “significant risks” for audit engagements. 10 www.metrometro.com
Lynford Graham The requirement to assess internal controls design and implementation, while not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned. Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious quot;holesquot; in the internal controls of an entity. 11 www.metrometro.com
Lynford Graham Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The quot;suitequot; requirement is only to assess the design (and implementation) of controls. 12 www.metrometro.com
Lynford Graham The controls (evaluation) requirements can be limited to the most significant control activity processes, like sales, major cost processes and payroll, and maybe the consolidation and closing process. 13 www.metrometro.com
SAS 112 Told us about material misstatements, these will tell us how to identify better Require a more in-depth understanding of the entity and its environment, including its internal control. More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the financial statements. A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks. (The How, stay tuned) 14 www.metrometro.com
Quick Review As we review, think about how these new pronouncements differ from the old requirements. Are they really that different? 15 www.metrometro.com
SAS 104 Amendment to SAS No. 1 regarding DUE PROFESSIONAL CARE KEY CHANGE --> term quot;reasonable assurancequot; is now quot;high level of assurancequot; However, still expressed in auditor's report as quot;reasonable assurancequot; 16 www.metrometro.com
SAS 105 Second Standard of Fieldwork Expands the scope from quot;internal controlquot; to quot;the entity – and its environment, including its internal controlquot; Extends its purpose from quot;planning the auditquot; to – quot;assessing the risk of material misstatement of the financial statements whether due to error or fraudquot; Finally, quot;further audit proceduresquot; replaces quot;tests to be – performedquot; to recognize that audit procedures also performed to obtain understanding of risks. 17 www.metrometro.com
Sas 105 Third standard of Fieldwork Replaces quot;sufficientquot; with quot;appropriatequot; audit – evidence Replaces quot;evidential matterquot; with quot;audit evidence – 18 www.metrometro.com
SAS 106 Audit Evidence - defines the term and provides guidance on its reliability Defines Relevant Assertions and discusses their use in assessing risks & designing appropriate further audit procedures. Higher evidentiary standard - replacement of quot;competentquot; with quot; appropriatequot; evidence Biggest change --> Inquiry alone is not sufficient to determine whether a control has been implemented - now requires observation in conjunction with inquiry at a minimum. 19 www.metrometro.com
SAS 106 Tests of Controls necessary in two circumstances: When auditor's Risk Assessment includes an – expectation of the operating effectiveness of controls When Substantive Procedures alone do not – provide sufficient appropriate audit evidence (auditor should obtain audit evidence about the operating effectiveness of controls 20 www.metrometro.com
SAS 106 Describes how we assess risks related to Assertions & how we design responsive audit procedures. Sufficient Appropriate Audit Evidence Sufficiency is the measure of the quantity of audit evidence Appropriateness is the measure of quality of audit evidence, further defined by: its relevance and its reliability in providing support for, or detecting misstatements in, The Classes of Transactions, Account Balances, and Disclosures and Related Assertions. The auditor should consider the sufficiency and appropriateness of audit evidence when assessing risks and designing further audit procedures. 21 www.metrometro.com
SAS 106 When information produced by the entity is used, – the auditor should obtain audit evidence about the accuracy and completeness of the information. 22 www.metrometro.com
SAS 107 Audit Risk & Materiality in Conducting an Audit Auditor must determine Materiality during planning stage Materiality set based on auditor's perception of the perspective of a reasonable user of the financial statements. 23 www.metrometro.com
SAS 107 Determination of materiality in the planning stage is a starting point --> from there, use professional judgment to modify as facts and circumstances are discovered or change during the audit. Auditor must assess risk: Inherent Risk (no controls) – Control Risk (control will fail) – Combined Risk – KEY CHANGE - No longer permissible for auditor to default to a max control risk 24 www.metrometro.com
SAS 107 Assess risk at each transaction level and each procedure Assessed risks and the basis for those assessments should be documented 25 www.metrometro.com
SAS 107 Documentation Should Enable an experienced auditor with no previous connection to the audit to understand: Nature, timing, and extent of procedures performed – Results of procedures and evidence obtained – Conclusion on significant matters – Accounting records agree or reconcile to financial – statements Include identifying characteristics! Document everything that is done! 26 www.metrometro.com
SAS 108 SAS No. 108, Planning and Supervision (Amends SAS 1 and SAS 22) (No major changes) “The auditor must adequately plan the work and must properly supervise any assistants.” 27 www.metrometro.com
SAS No. 109, Assessing Risks “The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.” 28 www.metrometro.com
SAS 109 Says Understanding the Entity & its Environment & Assessing the Risks of Material Misstatement **Absolutely REQUIRED Auditor required to determine that controls ARE implemented Do not need to TEST controls, but must understand that the designed controls being evaluated are in fact part of the entity's processes. Performance of a quot;walkthruquot; of a client's key controls and – documentation thereof will be important for evidencing the auditor's assessment and understanding of a client's internal controls and in allowing the auditor to assess the appropriate level of Control Risk
SAS 109 When assessing risk, we should consider more input: Inquiries of management, legal counsel, bankers, etc. – Employees, managers, etc. – Visits to premises – Objectives and strategies of the managers and owners – 30 www.metrometro.com
SAS 110 Auditors now REQUIRED to provide a CLEAR LINK between: Understanding the Entity (and its Environment, including Internal Controls) How the risk was assessed The design of the tailored procedures 31 www.metrometro.com
SAS 110 Timing – Auditors may perform procedures at an interim period date. (Big deal, cost savings opportunity) 32 www.metrometro.com
SAS 110 SAS No. 110, Performing Procedures (continued) Test of Controls may be rotated – The auditor should test the operating effectiveness of controls at least every three years in an annual audit – The auditor should update his or her understanding to ensure controls have not changed – If the auditor plans to rely on control that have changed, the auditor should test the controls 33 www.metrometro.com
SAS 111 SAS No. 111 provides enhanced guidance on tolerable misstatement. In general, tolerable misstatement in an account should be less than materiality to allow for aggregation in final assessment. Ordinarily sample sizes for non-statistical samples are comparable to sample sizes for an efficient and effectively designed statistical sample with the same sampling parameters. 34 www.metrometro.com
What We (Auditors) Have To Do (How) Assess strength of design of controls? Will they work? – Should they work? – Determine if the controls are operating? Do they work – 35 www.metrometro.com
New Approach PPC Smart E Practice Aids Walk-thru the business processes and related controls to assess risk Number of transactions – Materiality of account balance – Develop audit programs accordingly 36 www.metrometro.com
Clients 8 weeks out, we will send you questionnaires to tell us how your processes work and how your related internal controls are designed. Visit twice, once for information gathering for risk assessment, then once for fieldwork. Spread your work out, this is a good thing. Can we do the walkthrough at the planning visit? Some, at least. 37 www.metrometro.com
Details of Your Controls (still the client) How transactions are initiated and authorized How they flow through the accounting system How outside records are reconciled to the transactions and end up on the financial statements 38 www.metrometro.com
Auditor Audit team member will take your information and complete a detailed worksheet to identify control risk areas – risks of material misstatements Poor segregation of duties – Pressure on management to make numbers (misstatement – of revenue always a risk) Staff turnover and other changes – We will interview other client employees as part of our – information gathering. What do they know, what have they heard? 39 www.metrometro.com
Auditors We assign a level of risk for each key area of financial statement, high/medium/low Generate (PPC Smart E Practice Aids) one of three audit programs in that area: Limited – primarily analytical review plus some – other procedures Basic – some testing of account balances plus – other procedures Extended – everything for higher risk areas – 40 www.metrometro.com
Team Meeting Audit team meets to review results of risk assessment and discuss key financial statement areas 41 www.metrometro.com
Walkthrough We have to evaluate controls to the same standards that we evaluate other audit evidence. Need to know more about the processes and related controls Pick a process, walk through the system, evaluate the risk 42 www.metrometro.com
Evaluate the Risk Do controls exist? Are they satisfactory? Design deficiency – Are they working properly? Operating deficiency – 43 www.metrometro.com
Increase audit work and risk More management letter points – Quicker to significant deficiency and material – weakness (SAS 112) Expect 15-25% more time on the audit – Involve your clients, it’s a different audit now, you – can’t do it all by yourself Possibly create control specialists to do the risk – assessment 44 www.metrometro.com
Take Control - Make Your Audit Easier Make less journal entries - Audit standards require that we review journal entries for unusual activities. The more entries, the longer the audit takes. You can cut down on journal entries by recording bank charges, debits and manual checks as you would any other cash disbursement. Record bank account interest earned like you would a deposit. 45 www.metrometro.com
Take Control - Make Your Audit Easier Be ready for us - Make sure your auditor has provided you with a long Client Assistance List (CAL) or PBC (Provided by Client) list. The longer the better so that you can do the work at your schedule instead of scurrying during the audit fieldwork. Number the list and have a folder, notebook tab, or pile for each number. Impress the auditor, be organized, that's what we're looking for. 46 www.metrometro.com
Take Control - Make Your Audit Easier Be consistent and predictable - We like ordinary and boring. If you have a group of month end journal entries for depreciation, accrued payroll, etc., make them all on one entry that looks the same each month. Keep entries as ordinary and routine as possible. Record deposits the same. Record invoices the same. Make the transactions as easily identifiable as possible. 47 www.metrometro.com
Take Control - Make Your Audit Easier Support, Support, Support - Every transaction requires support. Checks, deposits, journal entries. Be consistent by including the same support on each type of transaction. Make sure every transaction has the required approvals. 48 www.metrometro.com
Take Control - Make Your Audit Easier Document your approval processes and follow them - If a disbursement requires a board signature, make sure it has a board signature. Make sure your approval processes will pass the auditor's tests. 49 www.metrometro.com
Take Control - Make Your Audit Easier Don't turn the audit engagement into an accounting engagement. Get the accounting work done first. Post accruals, depreciation, make sure everything ties in, etc. We don't want to do accounting work at the audit. Auditors like to tick and tie to get comfort that the numbers are right. Every time we have to make an entry, you lose credibility and it takes longer for us to get comfortable. Your auditors don't have to be your accountants, you can hire an accountant to do a monthly or quarterly review so that you'll be more prepared for your audit. 50 www.metrometro.com
Take Control - Make Your Audit Easier Insist on consistency from your audit team. Ask ahead of time, who will be coming. Are they the same auditors as last year? If not, push back a little bit. The more consistency, the less learning curve and the less interruptions. 51 www.metrometro.com
Risk Assessment Standards To gain some insight on the need for, and utilization of, these standards, California CPA recently interviewed CPA Lynford Graham, Ph.D., CFE. 52 www.metrometro.com
Lynford Graham, Ph.D CPA, CFE As a former member of the AICPA's Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. A frequent lecturer on the subject nationwide, Graham also is the author of a handbook on documenting internal controls for non-public companies. 53 www.metrometro.com
Question What were the goals and objectives of the ASB and Risk Assessment Standards Task Force? 54 www.metrometro.com
Answer A: The ASB, in coordination with the International Audit and Attest Standards Board, undertook a joint project in the latter 1990s to clarify many of the core auditing standards and advance more guidance on the role and performance of risk assessment. This was in response to concerns that audits were becoming increasingly risk-based, but there was a lack of guidance on how to go about the risk assessment process. 55 www.metrometro.com
Answer (cont) There were also concerns that, in some cases, too little audit work was being done to identify and correct any errors that might exist in the pre-audit financial statement records. Graham 56 www.metrometro.com
Answer (cont) Auditors of major entities were becoming more reliant on the seemingly improved and automated systems, and internal audit resources of these entities. Graham 57 www.metrometro.com
Why Now? The disastrous events and audit failures in early 2000 that lead to the Sarbanes-Oxley Act of 2002 are evidence that the project was on target, but that it was too late to avoid the events of Enron, WorldCom and the litany of business and audit failures in that time period. Graham 58 www.metrometro.com
Q: How revolutionary are these standards? A: Tough question. Much of the answer depends on what you have been doing in your audits all along. Graham 59 www.metrometro.com
Answer (cont) How revolutionary are these standards? The standards mostly clarify the intent of existing standards. Many firms have been successfully using the concepts in these new standards for a long time. For example, using audit assertions as an integral part of the audit planning and performance of the audit is not new. Neither is the assessment of controls as part of understanding the audited entity. That requirement extends to before SAS No. 55. Graham 60 www.metrometro.com
Answer (cont) How revolutionary are these standards? There are only a few quot;newquot; concepts, such as the identification of quot;significant risksquot; for audit engagements, which was not part of the auditing literature before, but were still practices of some firms before SAS No. 109. In any case, the extent of change these standards will bring will differ from firm to firm. Graham 61 www.metrometro.com
Where are firms struggling with implementation? A: The requirement to assess internal controls design and implementation for audit clients seems to be giving some firms consternation. While not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned 62 www.metrometro.com
Where are firms struggling with implementation? Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious quot;holesquot; in the internal controls of an entity. 63 www.metrometro.com
Where are firms struggling with implementation? Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The quot;suitequot; requirement is only to assess the design of controls and there is no requirement to test them. 64 www.metrometro.com
Where are firms struggling with implementation? In addition, the controls requirements can be limited to the most significant control activity processes, like sales, major cost processes and payroll, and maybe the consolidation and closing process. SOX requirements are much more extensive and require controls testing. 65 www.metrometro.com
Where are firms struggling with implementation? Reporting material weaknesses and significant deficiencies in controls, in writing, to the governance group is also an area of attention and concern. While not officially in the suite, SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, works with SAS No. 109 to ensure internal control matters are identified and communicated. 66 www.metrometro.com
Additional Parts of Graham Interview audits of smaller entities are not supposed to be a second-class service compared with audits of larger entities. By clarifying the standards, all firms will compete on an equal footing, and not by re-defining what constitutes an audit under Generally Accepted Auditing Standards. 67 www.metrometro.com
Why so much focus on risk assessment? A 2006 Certified Fraud Examiners survey revealed the median size of reported fraud in entities of less than 100 employees is $190,000. How many businesses of that size can withstand losing that amount of money and survive? 68 www.metrometro.com
Guidance for the nonprofit Graham has a book coming out, Internal Controls: Guidance for Private, Government and Nonprofit Entities, which helps companies understand how to document their controls and helps to bridge the auditor- client issues in controls assessment and testing. 69 www.metrometro.com
What do CPAs need to understand most clearly about the standards? Many of the new requirements will require a real first-year effort to get up and running. The maintenance in year two, and beyond, of well-implemented changes will not be that hard or expensive. Graham 70 www.metrometro.com

Recommended

SAS 104-111 for Nonprofit Execs
SAS 104-111 for Nonprofit ExecsSAS 104-111 for Nonprofit Execs
SAS 104-111 for Nonprofit Execshimetro
 
How auditable is your disaster recovery program
How auditable is your disaster recovery programHow auditable is your disaster recovery program
How auditable is your disaster recovery programgeekmodeboy
 
INDEPEDENT OUTSOURCING ASSURANCE
INDEPEDENT OUTSOURCING ASSURANCEINDEPEDENT OUTSOURCING ASSURANCE
INDEPEDENT OUTSOURCING ASSURANCEArul Nambi
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskPriyanka Aash
 
Evolving Risk Indicators
Evolving Risk IndicatorsEvolving Risk Indicators
Evolving Risk IndicatorsTRI, the risk-based monitoring company
 
Group 07
Group 07Group 07
Group 07EishaMoni
 
01 Symbianosbasics Introducao
01 Symbianosbasics Introducao01 Symbianosbasics Introducao
01 Symbianosbasics IntroducaoTiago Romão
 
Anytime, Anywhere Approach To Social Media
Anytime, Anywhere Approach To Social MediaAnytime, Anywhere Approach To Social Media
Anytime, Anywhere Approach To Social Mediaguest8143e
 

Recommended

SAS 104-111 for Nonprofit Execs
SAS 104-111 for Nonprofit ExecsSAS 104-111 for Nonprofit Execs
SAS 104-111 for Nonprofit Execshimetro
 
How auditable is your disaster recovery program
How auditable is your disaster recovery programHow auditable is your disaster recovery program
How auditable is your disaster recovery programgeekmodeboy
 
INDEPEDENT OUTSOURCING ASSURANCE
INDEPEDENT OUTSOURCING ASSURANCEINDEPEDENT OUTSOURCING ASSURANCE
INDEPEDENT OUTSOURCING ASSURANCEArul Nambi
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskPriyanka Aash
 
Evolving Risk Indicators
Evolving Risk IndicatorsEvolving Risk Indicators
Evolving Risk IndicatorsTRI, the risk-based monitoring company
 
Group 07
Group 07Group 07
Group 07EishaMoni
 
01 Symbianosbasics Introducao
01 Symbianosbasics Introducao01 Symbianosbasics Introducao
01 Symbianosbasics IntroducaoTiago Romão
 
Anytime, Anywhere Approach To Social Media
Anytime, Anywhere Approach To Social MediaAnytime, Anywhere Approach To Social Media
Anytime, Anywhere Approach To Social Mediaguest8143e
 
Sas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md NonprofitsSas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md Nonprofitshimetro
 
Transforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowTransforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowIceberg Networks Corporation
 
Student Name Brief #5 Use of Audit Software Review and Survey.docx
Student Name Brief #5 Use of Audit Software Review and Survey.docxStudent Name Brief #5 Use of Audit Software Review and Survey.docx
Student Name Brief #5 Use of Audit Software Review and Survey.docxemelyvalg9
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...TURKI , PMP
 
Chapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive ProceduresChapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive ProceduresSazzad Hossain, ITP, MBA, CSCA™
 
Audit Sampling
Audit SamplingAudit Sampling
Audit SamplingEMAC Consulting Group
 
Insights-Model-Validation
Insights-Model-ValidationInsights-Model-Validation
Insights-Model-ValidationMike Wilkinson
 
Audit solution airline
Audit solution airlineAudit solution airline
Audit solution airlineMetricStream Inc
 
AUDIT: BUILDING PUBLIC TRUST
AUDIT: BUILDING PUBLIC TRUSTAUDIT: BUILDING PUBLIC TRUST
AUDIT: BUILDING PUBLIC TRUSTKaushalKishore120
 
Best practice for risk based inspection
Best practice for risk based inspectionBest practice for risk based inspection
Best practice for risk based inspectionOsama Lari
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
Atila Kas
Atila KasAtila Kas
Atila KasAlma Total Solutions
 
FS_StressTestingCapitalPlanning_BR_1213 v1
FS_StressTestingCapitalPlanning_BR_1213 v1FS_StressTestingCapitalPlanning_BR_1213 v1
FS_StressTestingCapitalPlanning_BR_1213 v1Sudip Chatterjee
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)MUHAMMAD HUZAIFA CHAUDHARY
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk AuditJacob Kosoff
 
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018International Federation of Accountants
 
A Financial Planning Leader Streamlines Audit, Risk and Compliance
A Financial Planning Leader Streamlines Audit, Risk and Compliance A Financial Planning Leader Streamlines Audit, Risk and Compliance
A Financial Planning Leader Streamlines Audit, Risk and Compliance MetricStream Inc
 
Sym Sure Loan Portfolio
Sym Sure Loan PortfolioSym Sure Loan Portfolio
Sym Sure Loan Portfoliojjfrec07
 
Competence Assurance beyond compliance and certification
Competence Assurance beyond compliance and certificationCompetence Assurance beyond compliance and certification
Competence Assurance beyond compliance and certificationmervynrs
 

More Related Content

Similar to Sas 104 111 Impact On Auditors

Sas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md NonprofitsSas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md Nonprofitshimetro
 
Transforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowTransforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowIceberg Networks Corporation
 
Student Name Brief #5 Use of Audit Software Review and Survey.docx
Student Name Brief #5 Use of Audit Software Review and Survey.docxStudent Name Brief #5 Use of Audit Software Review and Survey.docx
Student Name Brief #5 Use of Audit Software Review and Survey.docxemelyvalg9
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...TURKI , PMP
 
Insights-Model-Validation
Insights-Model-ValidationInsights-Model-Validation
Insights-Model-ValidationMike Wilkinson
 
AUDIT: BUILDING PUBLIC TRUST
AUDIT: BUILDING PUBLIC TRUSTAUDIT: BUILDING PUBLIC TRUST
AUDIT: BUILDING PUBLIC TRUSTKaushalKishore120
 
Best practice for risk based inspection
Best practice for risk based inspectionBest practice for risk based inspection
Best practice for risk based inspectionOsama Lari
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
FS_StressTestingCapitalPlanning_BR_1213 v1
FS_StressTestingCapitalPlanning_BR_1213 v1FS_StressTestingCapitalPlanning_BR_1213 v1
FS_StressTestingCapitalPlanning_BR_1213 v1Sudip Chatterjee
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)MUHAMMAD HUZAIFA CHAUDHARY
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk AuditJacob Kosoff
 
A Financial Planning Leader Streamlines Audit, Risk and Compliance
A Financial Planning Leader Streamlines Audit, Risk and Compliance A Financial Planning Leader Streamlines Audit, Risk and Compliance
A Financial Planning Leader Streamlines Audit, Risk and Compliance MetricStream Inc
 
Sym Sure Loan Portfolio
Sym Sure Loan PortfolioSym Sure Loan Portfolio
Sym Sure Loan Portfoliojjfrec07
 
Competence Assurance beyond compliance and certification
Competence Assurance beyond compliance and certificationCompetence Assurance beyond compliance and certification
Competence Assurance beyond compliance and certificationmervynrs
 

Similar to Sas 104 111 Impact On Auditors (20)

Sas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md NonprofitsSas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md Nonprofits
 
Transforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNowTransforming compliance and audit management with ServiceNow
Transforming compliance and audit management with ServiceNow
 
Student Name Brief #5 Use of Audit Software Review and Survey.docx
Student Name Brief #5 Use of Audit Software Review and Survey.docxStudent Name Brief #5 Use of Audit Software Review and Survey.docx
Student Name Brief #5 Use of Audit Software Review and Survey.docx
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...
Inform the selection of 5 efficiency and 8 effectiveness measures. This frame...
 
Chapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive ProceduresChapter 12 - Designing Substantive Procedures
Chapter 12 - Designing Substantive Procedures
 
Audit Sampling
Audit SamplingAudit Sampling
Audit Sampling
 
Insights-Model-Validation
Insights-Model-ValidationInsights-Model-Validation
Insights-Model-Validation
 
Audit solution airline
Audit solution airlineAudit solution airline
Audit solution airline
 
AUDIT: BUILDING PUBLIC TRUST
AUDIT: BUILDING PUBLIC TRUSTAUDIT: BUILDING PUBLIC TRUST
AUDIT: BUILDING PUBLIC TRUST
 
Best practice for risk based inspection
Best practice for risk based inspectionBest practice for risk based inspection
Best practice for risk based inspection
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
Atila Kas
Atila KasAtila Kas
Atila Kas
 
FS_StressTestingCapitalPlanning_BR_1213 v1
FS_StressTestingCapitalPlanning_BR_1213 v1FS_StressTestingCapitalPlanning_BR_1213 v1
FS_StressTestingCapitalPlanning_BR_1213 v1
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk Audit
 
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
ISA 315 (Revised) - Exposure Draft Webinar, October 3rd, 2018
 
A Financial Planning Leader Streamlines Audit, Risk and Compliance
A Financial Planning Leader Streamlines Audit, Risk and Compliance A Financial Planning Leader Streamlines Audit, Risk and Compliance
A Financial Planning Leader Streamlines Audit, Risk and Compliance
 
Sym Sure Loan Portfolio
Sym Sure Loan PortfolioSym Sure Loan Portfolio
Sym Sure Loan Portfolio
 
Competence Assurance beyond compliance and certification
Competence Assurance beyond compliance and certificationCompetence Assurance beyond compliance and certification
Competence Assurance beyond compliance and certification
 

Sas 104 111 Impact On Auditors

  • 1. Detailed Information on the SAS 104-111 AND what it means to the audit profession Maryland Association of Nonprofits June 11, 2008
  • 2. What, Why, How What they are, what they mean Why we have them How we implement them Warnings 2 www.metrometro.com
  • 3. I’m up to my *&?! In SASs 104 “Due Professional Care” Effective Dates: 105 Amendment to SAS 95, GAAS 104-111 Effective for audits of F/S for periods beginning on 106 Audit Evidence or after 12-15-06. 107 Audit Risk and Materiality 108 Planning and Supervision 109 Understanding the Entity and its environment and assessing the risks of Material Misstatement 110 Performing Audit Procedures in response to assessed risks and evaluating the audit evidence obtained 111 Amendment to SAS 39, Audit Sampling 3 www.metrometro.com
  • 4. Risk Assessment Standards Enhances the auditor’s application of the audit risk model: AR = [CR x IR] x DR [CR x IR] = RMM AR = Audit Risk CR = Control Risk IR = Inherent Risk DR =Detection Risk RMM = risk of material misstatement 4 www.metrometro.com
  • 5. Why? (Enron, Worldcom, etc.) Improve implementation of the Audit Risk Model – Better understanding of internal controls Better assessment of the Risk of Material Misstatement (RMM) Determine audit procedures based on the response to RMM Improve the quality and consistency of Audits Help auditors discover fraud – even though we are not engaged to discover fraud 5 www.metrometro.com
  • 6. Lynford Graham, CPA, PhD, CFE, August 2007 Interview California CPA As a former member of the AICPA’s Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. http://goliath.ecnext.com/coms2/gi_0199- 6920795/Audit-awareness-SAS-Nos-104.html 6 www.metrometro.com
  • 7. The following are key points regarding the goals and objectives of having these new standards: Concerns that audits were becoming increasingly risk-based (a good thing), but that there was a lack of guidance on how to go about the risk assessment process (not a good thing). 7 www.metrometro.com
  • 8. Lynford Graham The trend towards increased reliance upon the seemingly improved and automated systems (especially for larger entities) and the internal audit resources of these entities (large entities, not relevant for small businesses). 8 www.metrometro.com
  • 9. Lynford Graham The standards mostly clarify the intent of existing standards. 9 www.metrometro.com
  • 10. Lynford Graham There are only a few “new” concepts such as the identification of “significant risks” for audit engagements. 10 www.metrometro.com
  • 11. Lynford Graham The requirement to assess internal controls design and implementation, while not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned. Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious quot;holesquot; in the internal controls of an entity. 11 www.metrometro.com
  • 12. Lynford Graham Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The quot;suitequot; requirement is only to assess the design (and implementation) of controls. 12 www.metrometro.com
  • 13. Lynford Graham The controls (evaluation) requirements can be limited to the most significant control activity processes, like sales, major cost processes and payroll, and maybe the consolidation and closing process. 13 www.metrometro.com
  • 14. SAS 112 Told us about material misstatements, these will tell us how to identify better Require a more in-depth understanding of the entity and its environment, including its internal control. More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the financial statements. A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks. (The How, stay tuned) 14 www.metrometro.com
  • 15. Quick Review As we review, think about how these new pronouncements differ from the old requirements. Are they really that different? 15 www.metrometro.com
  • 16. SAS 104 Amendment to SAS No. 1 regarding DUE PROFESSIONAL CARE KEY CHANGE --> term quot;reasonable assurancequot; is now quot;high level of assurancequot; However, still expressed in auditor's report as quot;reasonable assurancequot; 16 www.metrometro.com
  • 17. SAS 105 Second Standard of Fieldwork Expands the scope from quot;internal controlquot; to quot;the entity – and its environment, including its internal controlquot; Extends its purpose from quot;planning the auditquot; to – quot;assessing the risk of material misstatement of the financial statements whether due to error or fraudquot; Finally, quot;further audit proceduresquot; replaces quot;tests to be – performedquot; to recognize that audit procedures also performed to obtain understanding of risks. 17 www.metrometro.com
  • 18. Sas 105 Third standard of Fieldwork Replaces quot;sufficientquot; with quot;appropriatequot; audit – evidence Replaces quot;evidential matterquot; with quot;audit evidence – 18 www.metrometro.com
  • 19. SAS 106 Audit Evidence - defines the term and provides guidance on its reliability Defines Relevant Assertions and discusses their use in assessing risks & designing appropriate further audit procedures. Higher evidentiary standard - replacement of quot;competentquot; with quot; appropriatequot; evidence Biggest change --> Inquiry alone is not sufficient to determine whether a control has been implemented - now requires observation in conjunction with inquiry at a minimum. 19 www.metrometro.com
  • 20. SAS 106 Tests of Controls necessary in two circumstances: When auditor's Risk Assessment includes an – expectation of the operating effectiveness of controls When Substantive Procedures alone do not – provide sufficient appropriate audit evidence (auditor should obtain audit evidence about the operating effectiveness of controls 20 www.metrometro.com
  • 21. SAS 106 Describes how we assess risks related to Assertions & how we design responsive audit procedures. Sufficient Appropriate Audit Evidence Sufficiency is the measure of the quantity of audit evidence Appropriateness is the measure of quality of audit evidence, further defined by: its relevance and its reliability in providing support for, or detecting misstatements in, The Classes of Transactions, Account Balances, and Disclosures and Related Assertions. The auditor should consider the sufficiency and appropriateness of audit evidence when assessing risks and designing further audit procedures. 21 www.metrometro.com
  • 22. SAS 106 When information produced by the entity is used, – the auditor should obtain audit evidence about the accuracy and completeness of the information. 22 www.metrometro.com
  • 23. SAS 107 Audit Risk & Materiality in Conducting an Audit Auditor must determine Materiality during planning stage Materiality set based on auditor's perception of the perspective of a reasonable user of the financial statements. 23 www.metrometro.com
  • 24. SAS 107 Determination of materiality in the planning stage is a starting point --> from there, use professional judgment to modify as facts and circumstances are discovered or change during the audit. Auditor must assess risk: Inherent Risk (no controls) – Control Risk (control will fail) – Combined Risk – KEY CHANGE - No longer permissible for auditor to default to a max control risk 24 www.metrometro.com
  • 25. SAS 107 Assess risk at each transaction level and each procedure Assessed risks and the basis for those assessments should be documented 25 www.metrometro.com
  • 26. SAS 107 Documentation Should Enable an experienced auditor with no previous connection to the audit to understand: Nature, timing, and extent of procedures performed – Results of procedures and evidence obtained – Conclusion on significant matters – Accounting records agree or reconcile to financial – statements Include identifying characteristics! Document everything that is done! 26 www.metrometro.com
  • 27. SAS 108 SAS No. 108, Planning and Supervision (Amends SAS 1 and SAS 22) (No major changes) “The auditor must adequately plan the work and must properly supervise any assistants.” 27 www.metrometro.com
  • 28. SAS No. 109, Assessing Risks “The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.” 28 www.metrometro.com
  • 29. SAS 109 Says Understanding the Entity & its Environment & Assessing the Risks of Material Misstatement **Absolutely REQUIRED Auditor required to determine that controls ARE implemented Do not need to TEST controls, but must understand that the designed controls being evaluated are in fact part of the entity's processes. Performance of a quot;walkthruquot; of a client's key controls and – documentation thereof will be important for evidencing the auditor's assessment and understanding of a client's internal controls and in allowing the auditor to assess the appropriate level of Control Risk
  • 30. SAS 109 When assessing risk, we should consider more input: Inquiries of management, legal counsel, bankers, etc. – Employees, managers, etc. – Visits to premises – Objectives and strategies of the managers and owners – 30 www.metrometro.com
  • 31. SAS 110 Auditors now REQUIRED to provide a CLEAR LINK between: Understanding the Entity (and its Environment, including Internal Controls) How the risk was assessed The design of the tailored procedures 31 www.metrometro.com
  • 32. SAS 110 Timing – Auditors may perform procedures at an interim period date. (Big deal, cost savings opportunity) 32 www.metrometro.com
  • 33. SAS 110 SAS No. 110, Performing Procedures (continued) Test of Controls may be rotated – The auditor should test the operating effectiveness of controls at least every three years in an annual audit – The auditor should update his or her understanding to ensure controls have not changed – If the auditor plans to rely on control that have changed, the auditor should test the controls 33 www.metrometro.com
  • 34. SAS 111 SAS No. 111 provides enhanced guidance on tolerable misstatement. In general, tolerable misstatement in an account should be less than materiality to allow for aggregation in final assessment. Ordinarily sample sizes for non-statistical samples are comparable to sample sizes for an efficient and effectively designed statistical sample with the same sampling parameters. 34 www.metrometro.com
  • 35. What We (Auditors) Have To Do (How) Assess strength of design of controls? Will they work? – Should they work? – Determine if the controls are operating? Do they work – 35 www.metrometro.com
  • 36. New Approach PPC Smart E Practice Aids Walk-thru the business processes and related controls to assess risk Number of transactions – Materiality of account balance – Develop audit programs accordingly 36 www.metrometro.com
  • 37. Clients 8 weeks out, we will send you questionnaires to tell us how your processes work and how your related internal controls are designed. Visit twice, once for information gathering for risk assessment, then once for fieldwork. Spread your work out, this is a good thing. Can we do the walkthrough at the planning visit? Some, at least. 37 www.metrometro.com
  • 38. Details of Your Controls (still the client) How transactions are initiated and authorized How they flow through the accounting system How outside records are reconciled to the transactions and end up on the financial statements 38 www.metrometro.com
  • 39. Auditor Audit team member will take your information and complete a detailed worksheet to identify control risk areas – risks of material misstatements Poor segregation of duties – Pressure on management to make numbers (misstatement – of revenue always a risk) Staff turnover and other changes – We will interview other client employees as part of our – information gathering. What do they know, what have they heard? 39 www.metrometro.com
  • 40. Auditors We assign a level of risk for each key area of financial statement, high/medium/low Generate (PPC Smart E Practice Aids) one of three audit programs in that area: Limited – primarily analytical review plus some – other procedures Basic – some testing of account balances plus – other procedures Extended – everything for higher risk areas – 40 www.metrometro.com
  • 41. Team Meeting Audit team meets to review results of risk assessment and discuss key financial statement areas 41 www.metrometro.com
  • 42. Walkthrough We have to evaluate controls to the same standards that we evaluate other audit evidence. Need to know more about the processes and related controls Pick a process, walk through the system, evaluate the risk 42 www.metrometro.com
  • 43. Evaluate the Risk Do controls exist? Are they satisfactory? Design deficiency – Are they working properly? Operating deficiency – 43 www.metrometro.com
  • 44. Increase audit work and risk More management letter points – Quicker to significant deficiency and material – weakness (SAS 112) Expect 15-25% more time on the audit – Involve your clients, it’s a different audit now, you – can’t do it all by yourself Possibly create control specialists to do the risk – assessment 44 www.metrometro.com
  • 45. Take Control - Make Your Audit Easier Make less journal entries - Audit standards require that we review journal entries for unusual activities. The more entries, the longer the audit takes. You can cut down on journal entries by recording bank charges, debits and manual checks as you would any other cash disbursement. Record bank account interest earned like you would a deposit. 45 www.metrometro.com
  • 46. Take Control - Make Your Audit Easier Be ready for us - Make sure your auditor has provided you with a long Client Assistance List (CAL) or PBC (Provided by Client) list. The longer the better so that you can do the work at your schedule instead of scurrying during the audit fieldwork. Number the list and have a folder, notebook tab, or pile for each number. Impress the auditor, be organized, that's what we're looking for. 46 www.metrometro.com
  • 47. Take Control - Make Your Audit Easier Be consistent and predictable - We like ordinary and boring. If you have a group of month end journal entries for depreciation, accrued payroll, etc., make them all on one entry that looks the same each month. Keep entries as ordinary and routine as possible. Record deposits the same. Record invoices the same. Make the transactions as easily identifiable as possible. 47 www.metrometro.com
  • 48. Take Control - Make Your Audit Easier Support, Support, Support - Every transaction requires support. Checks, deposits, journal entries. Be consistent by including the same support on each type of transaction. Make sure every transaction has the required approvals. 48 www.metrometro.com
  • 49. Take Control - Make Your Audit Easier Document your approval processes and follow them - If a disbursement requires a board signature, make sure it has a board signature. Make sure your approval processes will pass the auditor's tests. 49 www.metrometro.com
  • 50. Take Control - Make Your Audit Easier Don't turn the audit engagement into an accounting engagement. Get the accounting work done first. Post accruals, depreciation, make sure everything ties in, etc. We don't want to do accounting work at the audit. Auditors like to tick and tie to get comfort that the numbers are right. Every time we have to make an entry, you lose credibility and it takes longer for us to get comfortable. Your auditors don't have to be your accountants, you can hire an accountant to do a monthly or quarterly review so that you'll be more prepared for your audit. 50 www.metrometro.com
  • 51. Take Control - Make Your Audit Easier Insist on consistency from your audit team. Ask ahead of time, who will be coming. Are they the same auditors as last year? If not, push back a little bit. The more consistency, the less learning curve and the less interruptions. 51 www.metrometro.com
  • 52. Risk Assessment Standards To gain some insight on the need for, and utilization of, these standards, California CPA recently interviewed CPA Lynford Graham, Ph.D., CFE. 52 www.metrometro.com
  • 53. Lynford Graham, Ph.D CPA, CFE As a former member of the AICPA's Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. A frequent lecturer on the subject nationwide, Graham also is the author of a handbook on documenting internal controls for non-public companies. 53 www.metrometro.com
  • 54. Question What were the goals and objectives of the ASB and Risk Assessment Standards Task Force? 54 www.metrometro.com
  • 55. Answer A: The ASB, in coordination with the International Audit and Attest Standards Board, undertook a joint project in the latter 1990s to clarify many of the core auditing standards and advance more guidance on the role and performance of risk assessment. This was in response to concerns that audits were becoming increasingly risk-based, but there was a lack of guidance on how to go about the risk assessment process. 55 www.metrometro.com
  • 56. Answer (cont) There were also concerns that, in some cases, too little audit work was being done to identify and correct any errors that might exist in the pre-audit financial statement records. Graham 56 www.metrometro.com
  • 57. Answer (cont) Auditors of major entities were becoming more reliant on the seemingly improved and automated systems, and internal audit resources of these entities. Graham 57 www.metrometro.com
  • 58. Why Now? The disastrous events and audit failures in early 2000 that lead to the Sarbanes-Oxley Act of 2002 are evidence that the project was on target, but that it was too late to avoid the events of Enron, WorldCom and the litany of business and audit failures in that time period. Graham 58 www.metrometro.com
  • 59. Q: How revolutionary are these standards? A: Tough question. Much of the answer depends on what you have been doing in your audits all along. Graham 59 www.metrometro.com
  • 60. Answer (cont) How revolutionary are these standards? The standards mostly clarify the intent of existing standards. Many firms have been successfully using the concepts in these new standards for a long time. For example, using audit assertions as an integral part of the audit planning and performance of the audit is not new. Neither is the assessment of controls as part of understanding the audited entity. That requirement extends to before SAS No. 55. Graham 60 www.metrometro.com
  • 61. Answer (cont) How revolutionary are these standards? There are only a few quot;newquot; concepts, such as the identification of quot;significant risksquot; for audit engagements, which was not part of the auditing literature before, but were still practices of some firms before SAS No. 109. In any case, the extent of change these standards will bring will differ from firm to firm. Graham 61 www.metrometro.com
  • 62. Where are firms struggling with implementation? A: The requirement to assess internal controls design and implementation for audit clients seems to be giving some firms consternation. While not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned 62 www.metrometro.com
  • 63. Where are firms struggling with implementation? Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious quot;holesquot; in the internal controls of an entity. 63 www.metrometro.com
  • 64. Where are firms struggling with implementation? Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The quot;suitequot; requirement is only to assess the design of controls and there is no requirement to test them. 64 www.metrometro.com
  • 65. Where are firms struggling with implementation? In addition, the controls requirements can be limited to the most significant control activity processes, like sales, major cost processes and payroll, and maybe the consolidation and closing process. SOX requirements are much more extensive and require controls testing. 65 www.metrometro.com
  • 66. Where are firms struggling with implementation? Reporting material weaknesses and significant deficiencies in controls, in writing, to the governance group is also an area of attention and concern. While not officially in the suite, SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, works with SAS No. 109 to ensure internal control matters are identified and communicated. 66 www.metrometro.com
  • 67. Additional Parts of Graham Interview audits of smaller entities are not supposed to be a second-class service compared with audits of larger entities. By clarifying the standards, all firms will compete on an equal footing, and not by re-defining what constitutes an audit under Generally Accepted Auditing Standards. 67 www.metrometro.com
  • 68. Why so much focus on risk assessment? A 2006 Certified Fraud Examiners survey revealed the median size of reported fraud in entities of less than 100 employees is $190,000. How many businesses of that size can withstand losing that amount of money and survive? 68 www.metrometro.com
  • 69. Guidance for the nonprofit Graham has a book coming out, Internal Controls: Guidance for Private, Government and Nonprofit Entities, which helps companies understand how to document their controls and helps to bridge the auditor- client issues in controls assessment and testing. 69 www.metrometro.com
  • 70. What do CPAs need to understand most clearly about the standards? Many of the new requirements will require a real first-year effort to get up and running. The maintenance in year two, and beyond, of well-implemented changes will not be that hard or expensive. Graham 70 www.metrometro.com