Overview of Recent Auditing Standards and Guidance

undefined
 
 
Frank Crawford, CPA
Chris Pembrook, CPA, CGAP, CRFAC
Crawford & Associates, P.C.
www.crawfordcpas.com
frank@crawfordcpas.com
chris@crawfordcpas.com
 
1
 
1
st
 set of auditing standards that typically apply
to state and local governmental audits
Not much is happening here
Last most 
significant
 auditing standard issued by
the AICPA was SAS 145, 
Understanding the Entity
and Its Environment and Assessing the Risks of
Material Misstatement
 (wait, didn’t we already
have those?)
The AICPA recently released an 89 page Audit
Guide entitled “
Risk Assessment in a Financial
Statement Audit
”, so there must be something
new, huh?
 
2
 
3
 
4
 
While risk assessment may seem boring, an
inappropriate risk assessment will most likely
lead to a substandard audit
A substandard audit will most likely lead to
trouble
We hate trouble
The risk assessment standards have been
given a renewed focus through the AICPA’s
Enhanced Audit Quality Initiative, as well as
through Peer Review
 
5
 
You can’t properly apply the risk assessment
standards if you don’t understand the audit risk
model
While many think they understand the model, the
results of Peer Review, IG desk reviews, and other
audit quality sampling projects say otherwise
Now is the time to reinforce your understanding
of each element of the model, and how the
model is used in determining the nature, timing
and extent of both the risk assessment auditing
procedures and the further auditing procedures
 
6
 
Many firms still simply select auditing
procedures from standardized audit
programs with little or no thought of whether
the procedures selected are responsive to the
risks of material misstatement
Other firms will have a basic or core set of
procedures that they perform for each area,
and additional procedures to choose from for
additional assurance if needed, and then
finally more procedures to choose from if
there are additional risks
 
7
 
While the previous slide’s second bullet
methodology isn’t necessarily a bad thing,
those illustrative audit procedures are no
substitute for truly understanding the risks of
material misstatement and using professional
judgment to select and tailor procedures that
are responsive to the risks AND which reduce
audit risk to an acceptably low level
 
8
 
Audit Risk Model
 
9
 
We care because of the “reasonable assurance”
concept
Reasonable assurance is considered a high level
of assurance that the financial statements are
free of material misstatement
Reasonable assurance = sufficient appropriate
audit evidence obtained has reduced the audit
risk to an acceptably low level
If you have no idea if audit risk has been reduced
to an acceptably low level, then you can’t know
that reasonable assurance has been obtained
 
10
 
I know in practice, we don’t use numbers or
percentages for completing the model, but
humor me for a bit
Let’s assume that the auditor is willing to live with a 3%
AR, which means that we’re okay with a 3% risk that the
financial statements are materially misstated
Let’s further assume we will not rely on controls and that
we assess control risk at 100% (some really small
governments don’t have very good controls, right?) and
let’s assume inherent risk is 50%
So, what’s the result if you perform all the 
basic audit
procedures
 from the basket of illustrative audit
procedures in your methodology and those procedures
would detect 85% of all material misstatements (leaving
a15% DR)?
 
11
 
 
   
?  = (50% x100%) x 15%
 7.5%  = (50% x 100%) x 15%
          or, in other words
          Audit Risk is 7.5%
 
What was the target? (we wanted 3%)
Are we close?
No, we are not close, and we are in big trouble
because we have severely under-audited, and we
haven’t reached reasonable assurance yet
 
12
 
We immediately go and perform several
additional procedures from your illustrative
list of 
additional
 procedures and we get DR
(which was at 15%) down to 10%? You’re good
now, right?
 
13
 
 
   
?  = (50% x100%) x 10%
     5%  = (50% x 100%) x 10%
          or, in other words
          Audit Risk is now 5%
 
What was the target? (we wanted 3%)
Are we close enough yet?
No, and we are still in trouble because we have
under-audited, and we haven’t reached
reasonable assurance yet
 
14
 
We immediately go and perform several
additional procedures from your illustrative
list of 
additional
 procedures and we get DR
(which was at 15%) down to 10%? You’re good
now, right?
Not until you’ve reduced DR to around 6% in
this scenario will you have reduced audit risk
to the acceptably low level that we set of 3%
in order to have obtained reasonable
assurance
 
15
 
We go back to our bag of tricks and pull out a
few more procedures in response to our risk
of material misstatement and attempt to get
the DR down to 6% (which in our risk scenario
is the only way to get AR down to 3%)
 
16
 
 
   
?  = (50% x100%) x 6%
     3%  = (50% x 100%) x 6%
          or, in other words
          Audit Risk is now 3%
 
What was the target? (we wanted 3%)
Are we close enough yet? YES
We have finally reached our target?  YES, but in
order to get here I had to really work not only my
basic procedures, but several other additional
procedures in response to the risk.
 
17
 
You better have some sense of audit risk (AR) you’re
willing to accept or the target that you’re shooting for
The auditor’s assessment of CR and IR is pretty darn
important in planning the nature, timing, and extent of
further audit procedures, which is a direct derivative of the
auditor understanding the entity and the environment that
the entity operates in, and gaining an understanding of the
entity’s internal controls
Thinking about the mix of auditing procedures that are
contained in audit methodology and understanding how
each group or level of procedures reduces detection risk is
essential
Near the end of any audit engagement we should step
back and ask the important question - do the procedures
performed and the evidence obtained reduce audit risk to
an acceptably low level or is more work needed?
 
 
18
 
 
        AR = (IR x CR) x DR
 
             Can the following equation work?
 
 
                  
L = (L x H) x H
 
        Yes, but how does it work?
       It works because the font sizes are different!
 
 
              
L = (
L 
x
 
H
) 
x H
  
      
L
 =     
L  
 
x H
 
19
 
Understanding how the audit risk model works
and how to use that theory when designing and
selecting auditing procedures that are responsive
to the risks of material misstatement trumps
merely filling out a checklist
As we plan upcoming audits, we need to ensure
that every member of the engagement team
understands the importance of RMM (or what can
go wrong) and that professional judgment and
professional skepticism is used to challenge
whether sufficient appropriate audit evidence is
being obtained to reduce audit risk to an
acceptably low level
 
20
 
Technically titled “Understanding the Entity
and Its Environment and Assessing the Risks
of Material Misstatement”
 
21
 
This SAS’s goal was to enhance the auditing
standards relating to the auditor’s risk
assessment and intends to enable auditors to
appropriately address the following:
a. Understanding the entity’s system of internal control,
in particular, relating to the auditor’s work effort to
obtain the necessary understanding
b. Modernizing the standard in relation to IT
considerations, including addressing risks arising from
entity’s use of IT
c. Determining risks of material misstatements,
including 
significant risks 
(new definition)
SAS will be effective for audits of financial
statements for periods ending on or after
December 15, 2023.
 
22
 
The ASB did not seek to fundamentally
change the key concepts underpinning audit
risk as the ASB continues to have the view
that the audit risk model is fundamentally
sound.
Rather, the ASB focused on how certain
aspects of the identification and assessment
of the risks of material misstatement can be
clarified and improved in order to drive better
risk assessments and, therefore, enhance
audit quality.
 
23
 
Scalability
Modernizing and Updating AU-C Section 315
for an Evolving Business Environment
Automated Tools and Techniques
Information Technology
Fostering Independence of Mind and
Professional Skepticism
The Auditor’s Considerations Relating to
Fraud
 
24
 
Focusing on the Applicable Financial
Reporting Framework in Identifying Risks of
Material Misstatement
 
 
25
 
Terms Used to Describe Aspects of the Entity’s
System of Internal Control
Understanding Internal Control Through
Understanding the Five Components of Internal
Control
Work Effort for Understanding Each of the
Components of Internal Control
Controls That Address the Risks of Material
Misstatement
Enhanced Guidance Related to IT
Other Matters Relevant to Understanding the
Entity’s System of Internal Control
 
26
 
Identifying and Assessing the Risks of Material
Misstatement
Spectrum of Inherent Risk (fancy name for our font size
example); the word “spectrum” is used 38 times in this
SAS, so they must think it’s a big deal
Relationship of Concepts With AU-C Section 540
Significant Risks
Identified and Assessed Risks of Material
Misstatement at the Financial Statement Level
Stand-Back and Paragraph .18 of AU-C section
330
 
27
 
 A new "stand-back" requirement intended to
drive an evaluation of the completeness of
the auditor's identification of significant
classes of transactions, account balances, and
disclosures (see paragraph 5.41)
 
28
 
A class of transactions, account balance, or
disclosure for which there is one or more
relevant
 assertions.
What does relevant mean?
An assertion about a class of transactions, account
balance, or disclosure is relevant when it has an
identified risk of 
material
 misstatement.
A risk of material misstatement exists when (a) there is
a reasonable possibility of a misstatement occurring
(that is, its likelihood), and (b) if it were to occur, there
is a reasonable possibility of the misstatement being
material (that is, its magnitude).
 
29
 
 A conforming amendment to perform
substantive procedures for each relevant
assertion of each significant class of
transactions, account balance, and disclosure,
regardless of the assessed level of control
risk (rather than for all relevant assertions
related to each material class of transactions,
account balance, and disclosure, irrespective
of the assessed risks of material
misstatement, as previously required)
 
30
 
An identified risk of material misstatement
for which the assessment of inherent risk is
close to the upper end of the spectrum of
inherent risk due to the degree to which
inherent risk factors affect the combination of
the likelihood of a misstatement occurring and
the magnitude of the potential misstatement
should that misstatement occur, or that is to
be treated as a significant risk in accordance
with the requirements of other AU-C sections
 
31
 
Documentation of key matters
Rationale for the significant judgments made
in identifying and assessing the risks of
material misstatement
Requires
 that the auditor assess inherent risk
and control risk separately
 
32
 
Another convergence standard
Special Considerations — Audits of Group
Financial Statements (Including the Work of
Component Auditors and Audits of Referred-
to Auditors)
Supersedes SAS No. 122, as amended,
Section 600, 
Special Considerations — Audits
of Group Financial Statements (Including the
Work of Component Auditors)
, and makes
conforming amendments to other impacted
SASs.
 
33
 
SAS No. 149, in superseding Section 600 of SAS
No. 122, shifts the auditor's approach in
determining the components at which to perform
audit work from identifying "significant
components" to using professional judgment
based on assessed risk
SAS No. 149 retains the two reporting options
available to the group auditor
making reference to the audit of a component auditor
assuming responsibility for the work of component
auditors
 
34
 
Introduces the term "referred-to auditor," and
defines it as an auditor "who performs an
audit of the financial statements of a
component to which the group engagement
partner determines to make reference in the
auditor's report on the group financial
statements." It also indicates that a referred-
to auditor is not part of the engagement team
Revises the definition of component auditor
to indicate that a component auditor is part
of the engagement team
 
35
 
The ASB also issued Statement on Quality
Management Standards (SQMS) No.
3, 
Amendments to QM Sections 10, 
A Firm's
System of Quality Management
,
 
and
20, 
Engagement Quality Reviews, to conform
certain terms used in the quality management
standards to language used in SAS No. 149 and
provide guidance on differentiating between a
resource and an information source
Effective for audits of group financial statements
for periods ending on or after Dec. 15, 2026, but
now is the time for auditors to prepare. SQMS No.
3 is effective concurrently with the effective dates
provided in QM Sections 10 and 20
 
36
 
Also known as the “Yellow Book”
2
nd
 set of auditing standards that typically
apply to a government audit (the 1
st
 set being
the AICPA GAAS that we just talked about)
Last full revision was the 2018
However, the 2018 revision received a
technical update in April 2021
 
37
 
1.02 The concept of accountability for use of
public resources and government authority is
key to our nation’s governing processes.
Management and officials entrusted with
public resources are responsible for carrying
out public functions and providing service to
the public effectively, efficiently,
economically, ethically, 
and equitably
 within
the context of the statutory boundaries of the
specific government program.
 
38
 
1.03 “….and (3) government services are
provided effectively, efficiently, economically,
ethically, 
and equitably
 
39
 
1.23 Examples of program effectiveness and
results audit objectives include f. determining
whether a program provides 
equitable
 access
to or distribution of public resources within
the context of statutory parameters
 
40
 
3.83 If auditors provided a nonaudit service in
the period to be covered by the engagement,
they should (1) determine if GAGAS expressly
prohibits the nonaudit service; (2) if audited
entity management requested the nonaudit
service, determine whether the 
skill
, knowledge,
or experience of the individual responsible for
overseeing the nonaudit service 
was
 sufficient;
and (3) determine whether a threat to
independence exists and address any threats
noted in accordance with the conceptual
framework.
 
41
 
8.42 
If internal control is significant to the audit
objectives, auditors determine which of the five
components of internal control are significant to
the audit objectives, as all components of
internal control are generally relevant, but not all
components may be significant to the audit
objectives. This determination can also identify
the underlying principles, control objectives, or
specific controls that are significant to the audit
objectives. Determining which internal control
components, principles, control objectives,
and/or specific controls are significant to the
audit objectives is a matter of professional
judgment.
 
42
 
8.49 
If internal control is determined to be
significant to the audit objectives, auditors
should plan and perform audit procedures to
assess internal control to the extent
necessary to address the audit objectives.
 
43
 
9.30 
When reporting on the scope of their
work on internal control, auditors should
identify the scope of internal control assessed
to the extent necessary for report users to
reasonably interpret the findings,
conclusions, and recommendations in the
audit report.
 
44
 
9.32 
Auditors may identify the control components,
underlying principles, control objectives, or specific
controls assessed in describing the scope of their work on
internal control. Auditors may also identify the level of
internal control assessment performed, as discussed in
paragraph 8.50. Control components and underlying
principles that are not considered significant to the audit
objectives may be identified in the scope if, in the
auditors’ professional judgment, doing so is necessary to
preclude a misunderstanding of the breadth of the
conclusions of the audit report and to clarify that control
effectiveness has not been evaluated as a whole. Auditors
may also identify and describe the five components of
internal control so that report users understand the scope
of the work within the context of the entity’s internal
control system
 
45
 
Updates to enhance how audit organizations
manage audit quality. Effective quality
management can reasonably assure an audit
organization that its people, audits, and
reports adhere to professional standards and
applicable laws.
Another updated area adds guidance for
financial audits.
 
46
 
The proposed Yellow Book revision would
replace extant chapter 5, "Quality Control and
Peer Review," paragraphs 5.01 through 5.59,
and add additional application guidance to
chapter 6, "Standards for Financial Audits."
 
47
 
Directs audit organizations that are subject to
selected standard setters' quality
management standards to comply with those
requirements and specific additional Yellow
Book requirements to avoid the potential
burden of audit organizations designing and
maintaining separate systems of quality
management.
 
48
 
Emphasizes the responsibility of leadership
for quality management within an audit
organization and requires senior leadership
to take an active role in the system of quality
management
Adds a quality management risk assessment
process and an information and
communication component to the framework
for the system of quality management
 
49
 
Emphasizes monitoring of the entire system
of quality management and includes a new
requirement to investigate the underlying
causes of identified quality management
deficiencies
Promotes scalability of the standard for use
by audit organizations differing in size and
complexity
 
50
 
Provides for the use of engagement quality
reviews, if the audit organization determines
that engagement quality review is an
appropriate response to address one or more
quality risks
Proposes application guidance for key audit
matters to provide clarity for financial audits
of government entities and entities that
receive government financial assistance
 
51
 
3
rd
 set of standards that may typically apply
to your audits of state and local governments
Dictated by the expenditure of a certain level
of federal financial awards in any one fiscal
year
These also don’t change significantly from
year to year
However, how you audit federal financial
awards does change via the compliance
supplement issued each year
 
52
 
Historic federal funding (COVID-19 and IIJA funding)
New IIJA programs and continued impact on
existing programs receiving additional funding
“Higher risk” classification by OMB will continue
which impacts major program determination
New recipients/increase in first-time single audits
COVID-19 waiver expiration
Continued workload compression
Federal focus on oversight, accountability, and
transparency
Quality should always be a focus!
 
53
 
*
Above numbers do not include
for-profit audits of federal funding
(e.g., healthcare entities and
shuttered venues) which likely
would add another 10,000+ audits
for 2021 and likely 2022
 
54
 
Winding down, but still in play for many recipients
Of the pandemic funding programs still in play, the
largest and most pervasive are:
CSLFRF
PRF
ESF
Auditors still need to focus on pandemic funding
nuances and keep a focus on quality
Audits of for-profit recipients of this funding
continue
 
55
 
National Emergency has ended and the Public Health
Emergency ends on May 11
Many federal COVID-19 waivers were tied to these
emergencies
The result?  Previous waivers provided to recipients for
certain compliance requirements have expired or will
expire soon
For example, HHS healthcare-related, USDA nutrition-
related, HUD housing related, ED SFA
Be alert to guidance issued by agencies on expiring
waivers since will impact single audit testing
 
56
 
Authorized $1.2
trillion for spending
 
Signed into law by
President Biden on
November 15, 2021
 
 
Over $550 billion
designated for ‘new’
federal programs for
transportation,
infrastructure, and
broadband
Probable that significant amounts of this federal funding will either be passed through States or received
directly by both non-federal entities and for-profit entities
 
Each of the federal
programs resulting
from the IIJA have
unique aspects
 
57
 
Expected by mid-May 2023
Several new programs and changes to many more
programs than usual
Performance reporting updates
Changes due to law or regulation changes
Changes to introduce IIJA provisions
Part 3 will have minimal changes
Build America Buy America Act guidance added to
Procurement and Cash Management guidance
tweaked
Highway Planning and Construction Cluster
 
58
 
Continues to include listing of higher risk programs in
Appendix IV; programs expected
 
59
 
Out-of-Period issues
PRF amounts reported on the SEFA align with
report submissions to the PRF Reporting Portal
ESF/HEERF allowed institutions to go back to
prior periods for expenditures/lost revenue
SVOG allowed pre-award costs back to March
2020
Determining completeness - certain COVID funding
may be handled by departments unaccustomed to
federal funding (e.g., 32.009)
Identification of COVID-19 funding on face of SEFA
Determining when awards exist
 
Use this GAQC
nonauthoritative
tool as a
resource:
Guidance on the
Reporting of
Certain COVID-
19 Awards on an
Accrual Basis
SEFA
 
60
 
Pandemic funding has significantly increased
usage of AU-C 805
, 
Audits of Single Financial
Statements and Specific Elements, Accounts, or
Items of a Financial Statement
; 
for example
:
More program-specific audits being
performed
GAGAS financial audit option for for-profit
PRF recipients
Remember that the auditor is required to comply
with all AU-C sections relevant to the audit
 
 
Access a
related new
GAQC article,
Governmental
Audits of
Single
Financial
Statements or
Elements
 
61
 
Have seen an increase in auditor receiving letters and other
requests from federal agencies
Letters from Education on the SFA program
Letters from HHS regarding the PRF program
When requests involve access to audit documentation, refer
to Interpretation No. 1, 
Providing Access to or Copies of
Audit Documentation to a Regulator 
(AU-C sec. 9230 par.
.01-.15),
Consult within firm/organization to determine protocols for
such requests
 
 
 
62
 
The provider of the FAC will change from Census to GSA by
October 1, 2023.  Web address will be:  
https://www.fac.gov/
Single audits with a fiscal period ending in 2022 (or earlier)
should be submitted to Census FAC (
https://facweb.census.gov/
)
Any draft not fully submitted to the Census FAC by October
1, 2023, may need to be completely re-started at the new
GSA FAC
Single audits with a fiscal period ending in 2023 will be
submitted to the new GSA FAC beginning on October 1, 2023.
GAQC is monitoring this timeline and will request that OMB issue
guidance on late 2023 submissions that may result from the
October launch date of the new FAC
Relates to the 30-day part of submission requirement
 
Auditors and
auditees with
earlier 2023
fiscal year end
single audits
should develop
policies to
ensure
submission
occurs once the
new FAC opens
 
63
 
Key resource for auditors; you should be
using this Guide!
2023 update expected in eBook and
paperback this summer
Key changes:
An appendix introducing SAS 145
Issuance of SAS 148
Updates to certain pandemic funding
information
Order when published
at:  
https://www.aicpa-
cima.com/cpe-learning
 
64
 
OMB is expected to issue a 
Federal Register 
notice
proposing changes to the UG this summer
Stated area of focus are changes that would reduce
administrative burden, areas having inconstant
interpretation, areas needing improved clarity, and
consistency updates
All parts of the UG have the potential for change
In advance, OMB issued a Request for Information,
asking respondents for recommended changes
See 
GAQC response
 
65
 
So what did $5.4 trillion of pandemic relief
funding mean for auditors last year in the
compliance supplement?
 
Hint: here is where your risk is
 
66
 
29 new programs by AL number have been
added
1,968 total pages in the 2022 Compliance
Supplement
The word “pandemic” appears 134 times
The word “Coronavirus” appears 409 times
The words “Cares Act” appear 424 times
The word “Covid” appears 741 times
I can only guess how many times these will
be mentioned in the 2023 supplement
 
67
 
Failure to report findings in the appropriate
form in the Schedule of Findings and
Questioned Costs
Failure to identify and test sufficient and
appropriate major programs, failure to
cluster, failure to properly perform Type A
and Type B program risk assessments, failure
to group programs with the same CFDA/AL
number, and incorrect determination of the
auditee as low-risk resulting in insufficient
coverage
 
68
 
Failure to properly conclude and document
either that an applicable compliance
requirement does not apply to the particular
auditee or that noncompliance with the
requirements could not have a direct and
material effect on a major program
 
69
 
Failure to document an understanding of
internal control over compliance of federal
awards sufficient to plan the audit to support
low assessed level of control risk for major
programs, including consideration of risk of
material noncompliance (materiality) related
to each applicable compliance requirement
and major program
 
70
 
Failure to document the adequacy of the
planned sample size for test of controls over
compliance to achieve a low level of control
risk
Failure to document the testing of controls
and compliance for the relevant assertions
related to each applicable compliance
requirement with a direct and material effect
for the major program
 
71
 
Lack of documentation of risk of material
noncompliance for the major program’s
compliance requirements occurring due to
fraud
Lack of documentation related to the SEFA
Internal controls over the preparation of the SEFA
Procedures to determine whether the SEFA is fairly
presented in all material respects
Reconciliation of the SEFA to amounts in the
financial statements
 
72
 
Lack of documentation of consideration of
subsequent events related to the major
program and its compliance requirements
 
73
 
Remember the old Single Audit Sampling
Project from 2007?
It covered single audits issued from March
2003 to April 2004
55.3% Acceptable
14.4% Limited Reliability
30.3% Unacceptable
A follow up review is being planned…
 
 
74
 
Guess how many pages the 2003 compliance
supplement was?  150 total pages
 
How many pages did I say the 2022
supplement had in it?  1,968 total pages
 
What do you think the new stats will show?
 
75
 
 
76
Slide Note
Embed
Share

The content discusses recent developments in auditing standards, including the release of SAS 145 by the AICPA and an Audit Guide on Risk Assessment. It also highlights various SAS numbers, topics, effective dates, and sections affected, providing insights into the evolving landscape of auditing practices for governmental and financial statement audits.

  • Auditing standards
  • AICPA
  • Risk assessment
  • SAS
  • Financial statements

Uploaded on Aug 03, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Frank Crawford, CPA Chris Pembrook, CPA, CGAP, CRFAC Crawford & Associates, P.C. www.crawfordcpas.com frank@crawfordcpas.com chris@crawfordcpas.com 1

  2. 1st set of auditing standards that typically apply to state and local governmental audits Not much is happening here Last most significant auditing standard issued by the AICPA was SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (wait, didn t we already have those?) The AICPA recently released an 89 page Audit Guide entitled Risk Assessment in a Financial Statement Audit , so there must be something new, huh? 2

  3. SAS No. SAS No. Topic Topic AU AU- - C Section Affected C Section Affected Effective Date Effective Date 500 and various other AU- -Cs 500 and various other AU Audits of periods ending on or after 12/15/2022 Audits of periods ending on or after 12/15/2022 142 142 Audit Evidence Audit Evidence Cs Auditing Accounting Estimates and Related Disclosures Auditing Accounting Estimates and Related Disclosures 540 and various other AU- -Cs 540 and various other AU Audits of periods ending on or after 12/15/2023 Audits of periods ending on or after 12/15/2023 143 143 Cs Use of Specialists and Use of Pricing Information Use of Specialists and Use of Pricing Information Audits of periods ending on or after 12/15/2023 Audits of periods ending on or after 12/15/2023 144 144 501, 540, and 620 501, 540, and 620 315 and various other AU- -Cs 315 and various other AU Audits of periods ending on or after 12/15/2023 Audits of periods ending on or after 12/15/2023 145 145 Risk Assessment Risk Assessment Cs 3

  4. AU Affected AU- - C Section Affected C Section SAS No. SAS No. Topic Topic Effective Date Effective Date Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards Inquiries of the Predecessor Auditor Regarding Fraud and Noncompliance With Laws and Regulations Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards Inquiries of the Predecessor Auditor Regarding Fraud and Noncompliance With Laws and Regulations Audits of periods beginning on or after 6/30/2025 Audits of periods beginning on or after 6/30/2025 220 and various other AU- -Cs 220 and various other AU 146 146 Cs Audits of periods beginning on or after 6/30/2023 Audits of periods beginning on or after 6/30/2023 147 147 210 210 Various (to align with effective dates of SAS 142 and 145) Various (to align with effective dates of SAS 142 and 145) 148 148 Amendments to AU Amendments to AU- -C Section 935 C Section 935 935 935 Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred- -to Audits) Special Considerations Group Financial Statements (Including the Work of Component Auditors and Audits of Referred Audits) Audits of 600 and various other AU 600 and various other AU- -Cs Audits of periods ending on or after 12/15/2026 Audits of periods ending on or after 12/15/2026 149 149 Cs to 4

  5. While risk assessment may seem boring, an inappropriate risk assessment will most likely lead to a substandard audit A substandard audit will most likely lead to trouble We hate trouble The risk assessment standards have been given a renewed focus through the AICPA s Enhanced Audit Quality Initiative, as well as through Peer Review 5

  6. You cant properly apply the risk assessment standards if you don t understand the audit risk model While many think they understand the model, the results of Peer Review, IG desk reviews, and other audit quality sampling projects say otherwise Now is the time to reinforce your understanding of each element of the model, and how the model is used in determining the nature, timing and extent of both the risk assessment auditing procedures and the further auditing procedures 6

  7. Many firms still simply select auditing procedures from standardized audit programs with little or no thought of whether the procedures selected are responsive to the risks of material misstatement Other firms will have a basic or core set of procedures that they perform for each area, and additional procedures to choose from for additional assurance if needed, and then finally more procedures to choose from if there are additional risks 7

  8. While the previous slides second bullet methodology isn t necessarily a bad thing, those illustrative audit procedures are no substitute for truly understanding the risks of material misstatement and using professional judgment to select and tailor procedures that are responsive to the risks AND which reduce audit risk to an acceptably low level 8

  9. Audit Risk Model 9

  10. We care because of the reasonable assurance concept Reasonable assurance is considered a high level of assurance that the financial statements are free of material misstatement Reasonable assurance = sufficient appropriate audit evidence obtained has reduced the audit risk to an acceptably low level If you have no idea if audit risk has been reduced to an acceptably low level, then you can t know that reasonable assurance has been obtained 10

  11. I know in practice, we dont use numbers or percentages for completing the model, but humor me for a bit Let s assume that the auditor is willing to live with a 3% AR, which means that we re okay with a 3% risk that the financial statements are materially misstated Let s further assume we will not rely on controls and that we assess control risk at 100% (some really small governments don t have very good controls, right?) and let s assume inherent risk is 50% So, what s the result if you perform all the basic audit procedures from the basket of illustrative audit procedures in your methodology and those procedures would detect 85% of all material misstatements (leaving a15% DR)? 11

  12. ? = (50% x100%) x 15% 7.5% = (50% x 100%) x 15% or, in other words Audit Risk is 7.5% What was the target? (we wanted 3%) Are we close? No, we are not close, and we are in big trouble because we have severely under-audited, and we haven t reached reasonable assurance yet 12

  13. We immediately go and perform several additional procedures from your illustrative list of additional procedures and we get DR (which was at 15%) down to 10%? You re good now, right? 13

  14. ? = (50% x100%) x 10% 5% = (50% x 100%) x 10% or, in other words Audit Risk is now 5% What was the target? (we wanted 3%) Are we close enough yet? No, and we are still in trouble because we have under-audited, and we haven t reached reasonable assurance yet 14

  15. We immediately go and perform several additional procedures from your illustrative list of additional procedures and we get DR (which was at 15%) down to 10%? You re good now, right? Not until you ve reduced DR to around 6% in this scenario will you have reduced audit risk to the acceptably low level that we set of 3% in order to have obtained reasonable assurance 15

  16. We go back to our bag of tricks and pull out a few more procedures in response to our risk of material misstatement and attempt to get the DR down to 6% (which in our risk scenario is the only way to get AR down to 3%) 16

  17. ? = (50% x100%) x 6% 3% = (50% x 100%) x 6% or, in other words Audit Risk is now 3% What was the target? (we wanted 3%) Are we close enough yet? YES We have finally reached our target? YES, but in order to get here I had to really work not only my basic procedures, but several other additional procedures in response to the risk. 17

  18. You better have some sense of audit risk (AR) youre willing to accept or the target that you re shooting for The auditor s assessment of CR and IR is pretty darn important in planning the nature, timing, and extent of further audit procedures, which is a direct derivative of the auditor understanding the entity and the environment that the entity operates in, and gaining an understanding of the entity s internal controls Thinking about the mix of auditing procedures that are contained in audit methodology and understanding how each group or level of procedures reduces detection risk is essential Near the end of any audit engagement we should step back and ask the important question - do the procedures performed and the evidence obtained reduce audit risk to an acceptably low level or is more work needed? 18

  19. AR = (IR x CR) x DR Can the following equation work? L = (L x H) x H Yes, but how does it work? It works because the font sizes are different! L = (L L x H) x H L = L x H 19

  20. Understanding how the audit risk model works and how to use that theory when designing and selecting auditing procedures that are responsive to the risks of material misstatement trumps merely filling out a checklist As we plan upcoming audits, we need to ensure that every member of the engagement team understands the importance of RMM (or what can go wrong) and that professional judgment and professional skepticism is used to challenge whether sufficient appropriate audit evidence is being obtained to reduce audit risk to an acceptably low level 20

  21. Technically titled Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement 21

  22. This SASs goal was to enhance the auditing standards relating to the auditor s risk assessment and intends to enable auditors to appropriately address the following: a. Understanding the entity s system of internal control, in particular, relating to the auditor s work effort to obtain the necessary understanding b. Modernizing the standard in relation to IT considerations, including addressing risks arising from entity s use of IT c. Determining risks of material misstatements, including significant risks (new definition) SAS will be effective for audits of financial statements for periods ending on or after December 15, 2023. 22

  23. The ASB did not seek to fundamentally change the key concepts underpinning audit risk as the ASB continues to have the view that the audit risk model is fundamentally sound. Rather, the ASB focused on how certain aspects of the identification and assessment of the risks of material misstatement can be clarified and improved in order to drive better risk assessments and, therefore, enhance audit quality. 23

  24. Scalability Modernizing and Updating AU-C Section 315 for an Evolving Business Environment Automated Tools and Techniques Information Technology Fostering Independence of Mind and Professional Skepticism The Auditor s Considerations Relating to Fraud 24

  25. Focusing on the Applicable Financial Reporting Framework in Identifying Risks of Material Misstatement 25

  26. Terms Used to Describe Aspects of the Entitys System of Internal Control Understanding Internal Control Through Understanding the Five Components of Internal Control Work Effort for Understanding Each of the Components of Internal Control Controls That Address the Risks of Material Misstatement Enhanced Guidance Related to IT Other Matters Relevant to Understanding the Entity s System of Internal Control 26

  27. Identifying and Assessing the Risks of Material Misstatement Spectrum of Inherent Risk (fancy name for our font size example); the word spectrum is used 38 times in this SAS, so they must think it s a big deal Relationship of Concepts With AU-C Section 540 Significant Risks Identified and Assessed Risks of Material Misstatement at the Financial Statement Level Stand-Back and Paragraph .18 of AU-C section 330 27

  28. A new "stand-back" requirement intended to drive an evaluation of the completeness of the auditor's identification of significant classes of transactions, account balances, and disclosures (see paragraph 5.41) 28

  29. A class of transactions, account balance, or disclosure for which there is one or more relevant assertions. What does relevant mean? An assertion about a class of transactions, account balance, or disclosure is relevant when it has an identified risk of material misstatement. A risk of material misstatement exists when (a) there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and (b) if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude). 29

  30. A conforming amendment to perform substantive procedures for each relevant assertion of each significant class of transactions, account balance, and disclosure, regardless of the assessed level of control risk (rather than for all relevant assertions related to each material class of transactions, account balance, and disclosure, irrespective of the assessed risks of material misstatement, as previously required) 30

  31. An identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections 31

  32. Documentation of key matters Rationale for the significant judgments made in identifying and assessing the risks of material misstatement Requires that the auditor assess inherent risk and control risk separately 32

  33. Another convergence standard Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred- to Auditors) Supersedes SAS No. 122, as amended, Section 600, Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors), and makes conforming amendments to other impacted SASs. 33

  34. SAS No. 149, in superseding Section 600 of SAS No. 122, shifts the auditor's approach in determining the components at which to perform audit work from identifying "significant components" to using professional judgment based on assessed risk SAS No. 149 retains the two reporting options available to the group auditor making reference to the audit of a component auditor assuming responsibility for the work of component auditors 34

  35. Introduces the term "referred-to auditor," and defines it as an auditor "who performs an audit of the financial statements of a component to which the group engagement partner determines to make reference in the auditor's report on the group financial statements." It also indicates that a referred- to auditor is not part of the engagement team Revises the definition of component auditor to indicate that a component auditor is part of the engagement team 35

  36. The ASB also issued Statement on Quality Management Standards (SQMS) No. 3, Amendments to QM Sections 10, A Firm's System of Quality Management, and 20, Engagement Quality Reviews, to conform certain terms used in the quality management standards to language used in SAS No. 149 and provide guidance on differentiating between a resource and an information source Effective for audits of group financial statements for periods ending on or after Dec. 15, 2026, but now is the time for auditors to prepare. SQMS No. 3 is effective concurrently with the effective dates provided in QM Sections 10 and 20 36

  37. Also known as the Yellow Book 2nd set of auditing standards that typically apply to a government audit (the 1st set being the AICPA GAAS that we just talked about) Last full revision was the 2018 However, the 2018 revision received a technical update in April 2021 37

  38. 1.02 The concept of accountability for use of public resources and government authority is key to our nation s governing processes. Management and officials entrusted with public resources are responsible for carrying out public functions and providing service to the public effectively, efficiently, economically, ethically, and equitably within the context of the statutory boundaries of the specific government program. 38

  39. 1.03 .and (3) government services are provided effectively, efficiently, economically, ethically, and equitably 39

  40. 1.23 Examples of program effectiveness and results audit objectives include f. determining whether a program provides equitable access to or distribution of public resources within the context of statutory parameters 40

  41. 3.83 If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 41

  42. 8.42 If internal control is significant to the audit objectives, auditors determine which of the five components of internal control are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify the underlying principles, control objectives, or specific controls that are significant to the audit objectives. Determining which internal control components, principles, control objectives, and/or specific controls are significant to the audit objectives is a matter of professional judgment. 42

  43. 8.49 If internal control is determined to be significant to the audit objectives, auditors should plan and perform audit procedures to assess internal control to the extent necessary to address the audit objectives. 43

  44. 9.30 When reporting on the scope of their work on internal control, auditors should identify the scope of internal control assessed to the extent necessary for report users to reasonably interpret the findings, conclusions, and recommendations in the audit report. 44

  45. 9.32 Auditors may identify the control components, underlying principles, control objectives, or specific controls assessed in describing the scope of their work on internal control. Auditors may also identify the level of internal control assessment performed, as discussed in paragraph 8.50. Control components and underlying principles that are not considered significant to the audit objectives may be identified in the scope if, in the auditors professional judgment, doing so is necessary to preclude a misunderstanding of the breadth of the conclusions of the audit report and to clarify that control effectiveness has not been evaluated as a whole. Auditors may also identify and describe the five components of internal control so that report users understand the scope of the work within the context of the entity s internal control system 45

  46. Updates to enhance how audit organizations manage audit quality. Effective quality management can reasonably assure an audit organization that its people, audits, and reports adhere to professional standards and applicable laws. Another updated area adds guidance for financial audits. 46

  47. The proposed Yellow Book revision would replace extant chapter 5, "Quality Control and Peer Review," paragraphs 5.01 through 5.59, and add additional application guidance to chapter 6, "Standards for Financial Audits." 47

  48. Directs audit organizations that are subject to selected standard setters' quality management standards to comply with those requirements and specific additional Yellow Book requirements to avoid the potential burden of audit organizations designing and maintaining separate systems of quality management. 48

  49. Emphasizes the responsibility of leadership for quality management within an audit organization and requires senior leadership to take an active role in the system of quality management Adds a quality management risk assessment process and an information and communication component to the framework for the system of quality management 49

  50. Emphasizes monitoring of the entire system of quality management and includes a new requirement to investigate the underlying causes of identified quality management deficiencies Promotes scalability of the standard for use by audit organizations differing in size and complexity 50

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#