Overview of Recent Auditing Standards and Guidance

Slide Note
Embed
Share

The content discusses recent developments in auditing standards, including the release of SAS 145 by the AICPA and an Audit Guide on Risk Assessment. It also highlights various SAS numbers, topics, effective dates, and sections affected, providing insights into the evolving landscape of auditing practices for governmental and financial statement audits.


Uploaded on Aug 03, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Frank Crawford, CPA Chris Pembrook, CPA, CGAP, CRFAC Crawford & Associates, P.C. www.crawfordcpas.com frank@crawfordcpas.com chris@crawfordcpas.com 1

  2. 1st set of auditing standards that typically apply to state and local governmental audits Not much is happening here Last most significant auditing standard issued by the AICPA was SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (wait, didn t we already have those?) The AICPA recently released an 89 page Audit Guide entitled Risk Assessment in a Financial Statement Audit , so there must be something new, huh? 2

  3. SAS No. SAS No. Topic Topic AU AU- - C Section Affected C Section Affected Effective Date Effective Date 500 and various other AU- -Cs 500 and various other AU Audits of periods ending on or after 12/15/2022 Audits of periods ending on or after 12/15/2022 142 142 Audit Evidence Audit Evidence Cs Auditing Accounting Estimates and Related Disclosures Auditing Accounting Estimates and Related Disclosures 540 and various other AU- -Cs 540 and various other AU Audits of periods ending on or after 12/15/2023 Audits of periods ending on or after 12/15/2023 143 143 Cs Use of Specialists and Use of Pricing Information Use of Specialists and Use of Pricing Information Audits of periods ending on or after 12/15/2023 Audits of periods ending on or after 12/15/2023 144 144 501, 540, and 620 501, 540, and 620 315 and various other AU- -Cs 315 and various other AU Audits of periods ending on or after 12/15/2023 Audits of periods ending on or after 12/15/2023 145 145 Risk Assessment Risk Assessment Cs 3

  4. AU Affected AU- - C Section Affected C Section SAS No. SAS No. Topic Topic Effective Date Effective Date Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards Inquiries of the Predecessor Auditor Regarding Fraud and Noncompliance With Laws and Regulations Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards Inquiries of the Predecessor Auditor Regarding Fraud and Noncompliance With Laws and Regulations Audits of periods beginning on or after 6/30/2025 Audits of periods beginning on or after 6/30/2025 220 and various other AU- -Cs 220 and various other AU 146 146 Cs Audits of periods beginning on or after 6/30/2023 Audits of periods beginning on or after 6/30/2023 147 147 210 210 Various (to align with effective dates of SAS 142 and 145) Various (to align with effective dates of SAS 142 and 145) 148 148 Amendments to AU Amendments to AU- -C Section 935 C Section 935 935 935 Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred- -to Audits) Special Considerations Group Financial Statements (Including the Work of Component Auditors and Audits of Referred Audits) Audits of 600 and various other AU 600 and various other AU- -Cs Audits of periods ending on or after 12/15/2026 Audits of periods ending on or after 12/15/2026 149 149 Cs to 4

  5. While risk assessment may seem boring, an inappropriate risk assessment will most likely lead to a substandard audit A substandard audit will most likely lead to trouble We hate trouble The risk assessment standards have been given a renewed focus through the AICPA s Enhanced Audit Quality Initiative, as well as through Peer Review 5

  6. You cant properly apply the risk assessment standards if you don t understand the audit risk model While many think they understand the model, the results of Peer Review, IG desk reviews, and other audit quality sampling projects say otherwise Now is the time to reinforce your understanding of each element of the model, and how the model is used in determining the nature, timing and extent of both the risk assessment auditing procedures and the further auditing procedures 6

  7. Many firms still simply select auditing procedures from standardized audit programs with little or no thought of whether the procedures selected are responsive to the risks of material misstatement Other firms will have a basic or core set of procedures that they perform for each area, and additional procedures to choose from for additional assurance if needed, and then finally more procedures to choose from if there are additional risks 7

  8. While the previous slides second bullet methodology isn t necessarily a bad thing, those illustrative audit procedures are no substitute for truly understanding the risks of material misstatement and using professional judgment to select and tailor procedures that are responsive to the risks AND which reduce audit risk to an acceptably low level 8

  9. Audit Risk Model 9

  10. We care because of the reasonable assurance concept Reasonable assurance is considered a high level of assurance that the financial statements are free of material misstatement Reasonable assurance = sufficient appropriate audit evidence obtained has reduced the audit risk to an acceptably low level If you have no idea if audit risk has been reduced to an acceptably low level, then you can t know that reasonable assurance has been obtained 10

  11. I know in practice, we dont use numbers or percentages for completing the model, but humor me for a bit Let s assume that the auditor is willing to live with a 3% AR, which means that we re okay with a 3% risk that the financial statements are materially misstated Let s further assume we will not rely on controls and that we assess control risk at 100% (some really small governments don t have very good controls, right?) and let s assume inherent risk is 50% So, what s the result if you perform all the basic audit procedures from the basket of illustrative audit procedures in your methodology and those procedures would detect 85% of all material misstatements (leaving a15% DR)? 11

  12. ? = (50% x100%) x 15% 7.5% = (50% x 100%) x 15% or, in other words Audit Risk is 7.5% What was the target? (we wanted 3%) Are we close? No, we are not close, and we are in big trouble because we have severely under-audited, and we haven t reached reasonable assurance yet 12

  13. We immediately go and perform several additional procedures from your illustrative list of additional procedures and we get DR (which was at 15%) down to 10%? You re good now, right? 13

  14. ? = (50% x100%) x 10% 5% = (50% x 100%) x 10% or, in other words Audit Risk is now 5% What was the target? (we wanted 3%) Are we close enough yet? No, and we are still in trouble because we have under-audited, and we haven t reached reasonable assurance yet 14

  15. We immediately go and perform several additional procedures from your illustrative list of additional procedures and we get DR (which was at 15%) down to 10%? You re good now, right? Not until you ve reduced DR to around 6% in this scenario will you have reduced audit risk to the acceptably low level that we set of 3% in order to have obtained reasonable assurance 15

  16. We go back to our bag of tricks and pull out a few more procedures in response to our risk of material misstatement and attempt to get the DR down to 6% (which in our risk scenario is the only way to get AR down to 3%) 16

  17. ? = (50% x100%) x 6% 3% = (50% x 100%) x 6% or, in other words Audit Risk is now 3% What was the target? (we wanted 3%) Are we close enough yet? YES We have finally reached our target? YES, but in order to get here I had to really work not only my basic procedures, but several other additional procedures in response to the risk. 17

  18. You better have some sense of audit risk (AR) youre willing to accept or the target that you re shooting for The auditor s assessment of CR and IR is pretty darn important in planning the nature, timing, and extent of further audit procedures, which is a direct derivative of the auditor understanding the entity and the environment that the entity operates in, and gaining an understanding of the entity s internal controls Thinking about the mix of auditing procedures that are contained in audit methodology and understanding how each group or level of procedures reduces detection risk is essential Near the end of any audit engagement we should step back and ask the important question - do the procedures performed and the evidence obtained reduce audit risk to an acceptably low level or is more work needed? 18

  19. AR = (IR x CR) x DR Can the following equation work? L = (L x H) x H Yes, but how does it work? It works because the font sizes are different! L = (L L x H) x H L = L x H 19

  20. Understanding how the audit risk model works and how to use that theory when designing and selecting auditing procedures that are responsive to the risks of material misstatement trumps merely filling out a checklist As we plan upcoming audits, we need to ensure that every member of the engagement team understands the importance of RMM (or what can go wrong) and that professional judgment and professional skepticism is used to challenge whether sufficient appropriate audit evidence is being obtained to reduce audit risk to an acceptably low level 20

  21. Technically titled Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement 21

  22. This SASs goal was to enhance the auditing standards relating to the auditor s risk assessment and intends to enable auditors to appropriately address the following: a. Understanding the entity s system of internal control, in particular, relating to the auditor s work effort to obtain the necessary understanding b. Modernizing the standard in relation to IT considerations, including addressing risks arising from entity s use of IT c. Determining risks of material misstatements, including significant risks (new definition) SAS will be effective for audits of financial statements for periods ending on or after December 15, 2023. 22

  23. The ASB did not seek to fundamentally change the key concepts underpinning audit risk as the ASB continues to have the view that the audit risk model is fundamentally sound. Rather, the ASB focused on how certain aspects of the identification and assessment of the risks of material misstatement can be clarified and improved in order to drive better risk assessments and, therefore, enhance audit quality. 23

  24. Scalability Modernizing and Updating AU-C Section 315 for an Evolving Business Environment Automated Tools and Techniques Information Technology Fostering Independence of Mind and Professional Skepticism The Auditor s Considerations Relating to Fraud 24

  25. Focusing on the Applicable Financial Reporting Framework in Identifying Risks of Material Misstatement 25

  26. Terms Used to Describe Aspects of the Entitys System of Internal Control Understanding Internal Control Through Understanding the Five Components of Internal Control Work Effort for Understanding Each of the Components of Internal Control Controls That Address the Risks of Material Misstatement Enhanced Guidance Related to IT Other Matters Relevant to Understanding the Entity s System of Internal Control 26

  27. Identifying and Assessing the Risks of Material Misstatement Spectrum of Inherent Risk (fancy name for our font size example); the word spectrum is used 38 times in this SAS, so they must think it s a big deal Relationship of Concepts With AU-C Section 540 Significant Risks Identified and Assessed Risks of Material Misstatement at the Financial Statement Level Stand-Back and Paragraph .18 of AU-C section 330 27

  28. A new "stand-back" requirement intended to drive an evaluation of the completeness of the auditor's identification of significant classes of transactions, account balances, and disclosures (see paragraph 5.41) 28

  29. A class of transactions, account balance, or disclosure for which there is one or more relevant assertions. What does relevant mean? An assertion about a class of transactions, account balance, or disclosure is relevant when it has an identified risk of material misstatement. A risk of material misstatement exists when (a) there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and (b) if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude). 29

  30. A conforming amendment to perform substantive procedures for each relevant assertion of each significant class of transactions, account balance, and disclosure, regardless of the assessed level of control risk (rather than for all relevant assertions related to each material class of transactions, account balance, and disclosure, irrespective of the assessed risks of material misstatement, as previously required) 30

  31. An identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections 31

  32. Documentation of key matters Rationale for the significant judgments made in identifying and assessing the risks of material misstatement Requires that the auditor assess inherent risk and control risk separately 32

  33. Another convergence standard Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred- to Auditors) Supersedes SAS No. 122, as amended, Section 600, Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors), and makes conforming amendments to other impacted SASs. 33

  34. SAS No. 149, in superseding Section 600 of SAS No. 122, shifts the auditor's approach in determining the components at which to perform audit work from identifying "significant components" to using professional judgment based on assessed risk SAS No. 149 retains the two reporting options available to the group auditor making reference to the audit of a component auditor assuming responsibility for the work of component auditors 34

  35. Introduces the term "referred-to auditor," and defines it as an auditor "who performs an audit of the financial statements of a component to which the group engagement partner determines to make reference in the auditor's report on the group financial statements." It also indicates that a referred- to auditor is not part of the engagement team Revises the definition of component auditor to indicate that a component auditor is part of the engagement team 35

  36. The ASB also issued Statement on Quality Management Standards (SQMS) No. 3, Amendments to QM Sections 10, A Firm's System of Quality Management, and 20, Engagement Quality Reviews, to conform certain terms used in the quality management standards to language used in SAS No. 149 and provide guidance on differentiating between a resource and an information source Effective for audits of group financial statements for periods ending on or after Dec. 15, 2026, but now is the time for auditors to prepare. SQMS No. 3 is effective concurrently with the effective dates provided in QM Sections 10 and 20 36

  37. Also known as the Yellow Book 2nd set of auditing standards that typically apply to a government audit (the 1st set being the AICPA GAAS that we just talked about) Last full revision was the 2018 However, the 2018 revision received a technical update in April 2021 37

  38. 1.02 The concept of accountability for use of public resources and government authority is key to our nation s governing processes. Management and officials entrusted with public resources are responsible for carrying out public functions and providing service to the public effectively, efficiently, economically, ethically, and equitably within the context of the statutory boundaries of the specific government program. 38

  39. 1.03 .and (3) government services are provided effectively, efficiently, economically, ethically, and equitably 39

  40. 1.23 Examples of program effectiveness and results audit objectives include f. determining whether a program provides equitable access to or distribution of public resources within the context of statutory parameters 40

  41. 3.83 If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 41

  42. 8.42 If internal control is significant to the audit objectives, auditors determine which of the five components of internal control are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify the underlying principles, control objectives, or specific controls that are significant to the audit objectives. Determining which internal control components, principles, control objectives, and/or specific controls are significant to the audit objectives is a matter of professional judgment. 42

  43. 8.49 If internal control is determined to be significant to the audit objectives, auditors should plan and perform audit procedures to assess internal control to the extent necessary to address the audit objectives. 43

  44. 9.30 When reporting on the scope of their work on internal control, auditors should identify the scope of internal control assessed to the extent necessary for report users to reasonably interpret the findings, conclusions, and recommendations in the audit report. 44

  45. 9.32 Auditors may identify the control components, underlying principles, control objectives, or specific controls assessed in describing the scope of their work on internal control. Auditors may also identify the level of internal control assessment performed, as discussed in paragraph 8.50. Control components and underlying principles that are not considered significant to the audit objectives may be identified in the scope if, in the auditors professional judgment, doing so is necessary to preclude a misunderstanding of the breadth of the conclusions of the audit report and to clarify that control effectiveness has not been evaluated as a whole. Auditors may also identify and describe the five components of internal control so that report users understand the scope of the work within the context of the entity s internal control system 45

  46. Updates to enhance how audit organizations manage audit quality. Effective quality management can reasonably assure an audit organization that its people, audits, and reports adhere to professional standards and applicable laws. Another updated area adds guidance for financial audits. 46

  47. The proposed Yellow Book revision would replace extant chapter 5, "Quality Control and Peer Review," paragraphs 5.01 through 5.59, and add additional application guidance to chapter 6, "Standards for Financial Audits." 47

  48. Directs audit organizations that are subject to selected standard setters' quality management standards to comply with those requirements and specific additional Yellow Book requirements to avoid the potential burden of audit organizations designing and maintaining separate systems of quality management. 48

  49. Emphasizes the responsibility of leadership for quality management within an audit organization and requires senior leadership to take an active role in the system of quality management Adds a quality management risk assessment process and an information and communication component to the framework for the system of quality management 49

  50. Emphasizes monitoring of the entire system of quality management and includes a new requirement to investigate the underlying causes of identified quality management deficiencies Promotes scalability of the standard for use by audit organizations differing in size and complexity 50

Related


More Related Content