NO FRAUD LEFT BEHIND - Tri
Download
Report
Transcript NO FRAUD LEFT BEHIND - Tri
NO FRAUD LEFT BEHIND
The Effect of New Risk Assessment Auditing
Standards on Schools
Runyon Kersteen Ouellette
Risk Assessment Standards
Statements on Auditing Standards
SAS 104 – 111 (risk assessment)
Other recently issued standards
SAS 112 – 115
How will these new audit standards affect
school audits?
SAS 104
Due professional care in the performance
of work
Clarified the definition of reasonable
assurance
Emphasized that reasonable assurance is a
high level of assurance, but not absolute
assurance
SAS 105
Amendment to SAS 95, Generally
Accepted Auditing Standards
Expands the scope of the understanding
that the auditor is required to obtain from
“internal control” to “the entity and its
environment, including its internal control”
SAS 105
Emphasizes that the understanding is
obtained to “assess the risk of material
misstatement of the financial statements”
The understanding of the entity and its
internal control is part of the audit
evidence that supports the opinion
Used to be only part of the audit planning
SAS 106
Audit evidence
Identifies “risk assessment procedures” as
procedures performed to obtain an
understanding of the entity in order to
assess the risk of material misstatement
SAS 106
Evidence obtained from performing risk
assessment procedures, including gaining
an understanding of the entity and its
environment, including its internal controls
as well as tests of controls and substantive
procedures is part of the evidence
obtained to support the audit opinion (not
just to plan the audit)
SAS 106
Risk assessment procedures include:
Inquiries of management and others
Analytical procedures
Observation and inspection
Inquiry alone is no longer sufficient to
evaluate controls and whether they have
been implemented
SAS 107
Audit risk and materiality in conducting an
audit
Auditors can no longer default to
maximum risk (instead of testing controls)
Materiality should take qualitative
considerations into account as well as
quantitative
SAS 108
Planning and supervision
New guidance on development of overall
audit strategy and audit plan
Establish an understanding with the client
What is management’s responsibility
compared to the auditor’s responsibility
SAS 109
Understanding the entity and its environment
and assessing the risks of material
misstatements
Understanding the entity:
Industry, regulatory, and other external factors
Nature of the entity
Objectives and strategies and the related risks
Measurement and review of financial performance
Internal control, which includes accounting policies
SAS 109
Understanding of internal control
Evaluating design of a control
Determining whether it has been implemented
Evaluating the design of control involves
considering whether the control, individually or
in combination with other controls, is capable of
effectively preventing or detecting and
correcting material misstatements
SAS 109
Components of internal control:
Control environment – tone of organization
Risk assessment – identification and analysis of
relevant risks
Information and communication systems –
identification, capture and communication of
information
Control activities – policies and procedures
Monitoring – assessment of the quality of internal
control performance
Control Environment
Primary responsibility for the prevention
and detection of fraud and errors rests
with those charged with governance and
management
The absence or inadequacy of such
programs and controls may constitute a
significant deficiency or material weakness
Control Environment
Communication and enforcement of integrity
and ethical values
Commitment to competence
Participation of those charged with governance
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
Risk Assessment
Risk assessment process for financial
reporting purposes is its identification,
analysis, and management of risks
relevant to the preparation of financial
statements that are presented fairly in
conformity with GAAP
Risk Assessment
Risks relevant to financial reporting:
Changes in operating environment
New personnel
New or revamped information systems
Rapid growth
New accounting pronouncements
Information and Communication
Systems
Information systems consist of
procedures, whether automated or
manual, and records established to
initiate, authorize, record, process, and
report entity transactions and to maintain
accountability for the related assets,
liabilities and equity
Information and Communication
Systems
Communication involves providing an
understanding of individual roles and
responsibilities pertaining to internal
control over financial reporting
Control Activities
Authorization
Segregation of duties
Safeguarding
Asset accountability
Monitoring
Management is responsible for establishing and
maintaining internal controls on an ongoing
basis
Monitoring controls includes determining
whether internal controls are operating as
intended and modifying as appropriate for
changes in conditions
Monitoring is done to ensure that controls
continue to operate effectively
SAS 110
Performing audit procedures in response
to assessed risks and evaluating the audit
evidence obtained
Requires tests of controls to obtain audit
evidence about their operating
effectiveness when assessment of risks is
based on the expectation that controls are
operating effectively
SAS 112
Communicating internal control related matters
identified in an audit
Defines the terms significant deficiency and
material weakness (revised by SAS 115)
Provides guidance on the severity of control
deficiencies
Requires communication in writing to
management and those changed with
governance
Control Deficiency
Exists when the design or operation of a
control does not allow management or
employees, in the normal course of
performing their assigned functions, to
prevent or detect misstatements on a
timely basis
Control Deficiency
Deficiency in design exists when:
a control necessary to meet the control
objective is missing or
an existing control is not properly designed so
that even if the control operates as designed,
the control objective is not always met
Control Deficiency
Deficiency in operation exists when:
a properly designed control does not operate
as designed or
when the person performing the control does
not possess the necessary authority or
qualifications to perform the control
effectively
SIGNIFICANT DEFICIENCY (SAS 112)
A control deficiency, or combination of control
deficiencies, that adversely affects the entity’s
ability to initiate, authorize, record, process, or
report financial data reliably in accordance with
generally accepted accounting principles such
that there is more than a remote likelihood that
a misstatement of the entity’s financial
statements that is more than inconsequential
will not be prevented or detected
SIGNIFICANT DEFICIENCY (SAS 115)
A deficiency, or a combination of
deficiencies, in internal control that is less
severe than a material weakness, yet
important enough to merit attention by
those charged with governance
Material Weakness (SAS 112)
A significant deficiency, or a combination
of significant deficiencies, that results in
more than a remote likelihood that a
material misstatement of the financial
statements will not be prevented or
detected
Material Weakness (SAS 115)
A deficiency, or combination of
deficiencies, in internal control, such that
there is a reasonable possibility that a
material misstatement of the entity’s
financial statements will not be prevented,
or detected and corrected on a timely
basis
Material Weakness (SAS 115)
Identification of fraud, whether or not
material, on the part of senior
management
Restatement of previously issued financial
statements to reflect the correction of a
material misstatement due to error or
fraud
Material Weakness (SAS 115)
Identification by the auditor of a material
misstatement of the financial statements under
the audit in circumstances that indicate that the
misstatement would not have been detected by
the entity’s internal control
Ineffective oversight of the entity’s financial
reporting and internal control by those charged
with governance
SAS 114
Auditor’s communication with those
charged with governance
Supersedes SAS 61
Requires communication before and after
the audit
SAS 114
Planned scope and timing of audit
Assist those charged with governance in
understanding the consequences of the auditor’s work
Discussing issues of risk and materiality
Identifying any areas that those charged with
governance request the auditor to undertake
additional procedures
Assist auditor to understand the entity and its
environment
SAS 114
Auditor’s responsibilities under GAAS
Significant findings from audit
Qualitative aspects of the entity’s significant
accounting practices, including policies,
estimates, and disclosures
Significant difficulties or disagreements
Uncorrected misstatements, unless trivial
Other findings or issues
ANY QUESTIONS????