Get documents about "Taxation of Business Entities Ouline
Description
Taxation of Business Entities Ouline document sample
Document Sample
Developing an Audit Strategy and Updating SASs and SSARS
Ron Clark
Auburn, Alabama
rclark@business.auburn.edu
Southeastern Accounting Show
Atlanta, Ga.
August 27, 2009
Auditing:
• Developing an Audit Strategy
• Reporting on Control Deficiencies
• The Clarity Project
Compilations and Reviews
• Independence
• Rewrite of SSARS
Audit Strategy
• We often talk about two approaches to an audit:
o “Pure substantive” approach where controls are not tested
o “Controls” approach where internal controls are tested and substantive testing
reduced
A Stumbling Block
• Before trying to apply Risk Assessment Standards, we need to recognize the
unintentional consequences from SAS 55, Consideration of Internal Control in a
Financial Audit, issued 1987.
• SAS 55 stated “After obtaining an understanding of the internal control structure, the
auditor may assess control risk at the maximum level because:
o Controls are unlikely to be effective, or
o Evaluating their effectiveness would be inefficient
• For those assertions where control risk is assessed at the maximum level, document
conclusion that control risk is at the maximum level but auditor not required to document
the basis for that conclusion.
• These two statements supported a “default audit strategy.”
Default Strategy
• Based on prior knowledge of the client, clients in the same industry or similar size,
decide to take a pure substantive approach before actually starting the audit
• To comply with SAS 55, document an understanding of controls based on prior
knowledge of the client
1
• Assess control risk at the maximum
• Perform substantive auditing procedures (test of details and balances)
The New Standards
• The auditor should assess and document the risk of material misstatement and have an
appropriate basis for that assessment.
• This basis is obtained by gaining an understanding of the entity and its environment,
including its internal controls.
• The default strategy is eliminated
• The elements of risk assessment, including controls, should be evaluated in relationship
to each other
The Substantive Approach
• While the new SASs still recognize the substantive approach as an acceptable audit
strategy, the implication here is that the auditor must devote more resources to evaluating
the existence and design of internal controls and identifying inherent risk.
o Document relationship between client risk and design and implementation of
controls
o Selection of substantive procedures based on risk assessment and existence and
strength of internal controls
Under new standards:
• Performing substantive procedures is an “Active” decision, not a “Passive” decision
• Mix of substantive tests may change
• More documentation
Comparing Risk & Balance Sheet Approaches To Audit
• New SASs have effectively merged the two approaches into one
• Risk Assessment must be performed regardless of approach to audit
• From the Audit Guide on Risk Assessment, “If auditor does not apply guidance, auditor
should be prepared to explain why”
Flowchart based on the Audit Guide
Developing An Audit Plan
2
Input Process Output
External Factors
Risk assessment Documented
Nature of entity procedures: Inquiry, Understanding
Observation, Analytics, of Client
Inspection
Business Risks
Routine vs. Non-routine
Financial Analysis
Transactions/ Processes
Internal Controls Assess Levels of
Significant Risk Factors Inherent and
Control Risk
Prior Knowledge of
Client Fraud Risk Factors
Documented Risk of
Material Misstatements
(RMM)
Financial Statement Account/Transaction/
Level Risks Disclosure Level Risks
Adjust audit Relate risk to relevant
Refine assessed planning
levels of RMM assertions
and audit
procedures applied
Select an appropriate mix of
auditing procedures
Sufficient
evidence to
No form
conclusions? Substantive Analytical Test Controls
Procedures Procedures Effectiveness
Yes
Documented Audit Plan
Document conclusions
and audit opinion
3
Where To Begin???
• To properly apply the Risk Assessment standards, we need to “go through” the flowchart
multiple times, each time with a different objective.
Our Overall Objective
• We need an audit plan that is appropriate for the level of the Risk of Material
Misstatement (RMM)
• The elements of RMM are Inherent Risk and Control Risks
• Our assessment of these risks are based on our Understanding of the client
Risk Assessment Procedures:
• Inquiries
• Observation
• Analytics
• Inspection
• Auditor not required to perform all the risk assessment procedures for each aspect
gaining an understanding of the client
• However, all the risk assessment procedures should be performed by the auditor in the
course of obtaining the required understanding
First Pass Through Flowchart: Inherent Risk-The Key to Applying the Risk Standards
• Technical Info Service 8200.09
• Inherent risk is susceptibility of an assertion to a misstatement assuming there are no
related controls
• This implies we need to assess inherent risks before assessing internal controls
• If we don’t, our assessment of inherent risks may be influenced by our knowledge of
existing or lack of internal controls
Assessing Inherent Risk
• Inherent risk must be assessed on two levels:
o At the entity level, and
o At the individual account/assertion level
Company Level Risks
• What does the entity do?
• How does it distribute its products or deliver its services? Multiple locations?
• Who are its customers? Characteristics?
• Who are the major competitors?
• Who are the major suppliers
• How does the entity finance its operations?
Industry and Related Regulatory and Other Matters
4
• Unique characteristics
• Industry conditions (competition, seasonality, demand, etc.)
• Regulatory matters (industry specific accounting principles, taxation, environmental
matters, etc.)
Business Objectives, Strategies, and Risks
• What are the entity’s key business risks?
• How may such risks manifest in the entity’s financial statements?
Assess Inherent Risk at Individual Account Level
• Perform ratio analysis to identify potential “problem” accounts
• Combining our analysis with understanding of entity risks should provide a basis for
assessing inherent risks
Second Pass Through Flowchart: Identifying and Assessing Internal Controls
• Now that we have an overall understanding of the client, we need to gain an
understanding of the internal controls that are:
o Implemented
o Not implemented
• Again, apply risk assessment procedures to inputs
Assessing Control Risk
• AICPA has issued several SASs and guides on internal controls
• While you can still assess control risk at the maximum (ie. place no reliance on controls),
you must document your basis for doing so
• For significant accounts, processes, and risk, determine if controls are present
o Is the Design of controls appropriate?
o Has control been Implemented (walk-through)?
• Make decision whether to test Effectiveness of individual controls
Prior Period Audits
• Can use information about the entity and its environment obtained in prior periods if
auditor determines info has not changed
• Make inquiries and perform walk-through to determine whether changes have occurred
that may affect the relevance of such information.
• If auditor plans to rely on controls that have not changed since they were last tested, the
auditor should test the operating effectiveness of such controls at least once every three
years
Understanding Controls
• Typical procedures:
o Observation
o Inspect documents
o Walkthrough
5
o Information from prior audits if controls not changed and not a significant risk.
Use Inquires to determine if changes made
Some key questions and answers from AICPA. These relate primarily to smaller entities.
Technical Info Service - 8200.05
• If auditor anticipates entity does not have effective controls, is auditor required to obtain
understanding of controls even if designing a substantive audit?
• Yes
TIS - .06
• What does “expectation of operating effectiveness of controls” mean?
• Based on auditor’s understanding of the design and implementation of controls, auditor
expects the controls to be effective.
• Will require testing for effectiveness
TIS .07
• Can an all substantive audit approach be followed even if auditor’s understanding of
controls are designed effectively?
• Yes, cost/benefit
TIS - .08
• Is auditor required to understand the less formal controls within a smaller entity?
• Yes, part of overall control environment
• Auditor may decide to test and rely on these less formal controls – Overview by owner is
example
TIS .10
• Auditor cannot default to assessing control risk at the maximum
• Must have basis for assessing control risk, regardless of at maximum or below maximum
TIS .11
• Even if auditor believes before performing risk assessment procedures that controls are
nonexistent or ineffective, the auditor must still:
• Evaluate design of any identified controls
• Determine if they have been implemented
TIS .12
• Walkthroughs is an effective method to confirm understanding of controls
• While standards allows for auditor to use judgment on how often to perform this
procedure, the reality is they should be performed annually
TIS .13
6
• A client may have many controls but has not documented those controls in accounting
manuals
• Client not required to prepare documentation
• However, auditor may need to document control in working papers
TIS .15
• Just because an auditor decides to not test a control, that does not mean there is a control
deficiency under SAS 112 (115)
• Control deficiencies results from:
o Nonexistent controls
o Poor design
o Not implemented
o Not effective (from test of controls)
TIS .16
• Bottom line: test (sample) all journal entries:
• Risk standards require testing of entries made in preparing financial statements
• SAS 99 requires testing entries made throughout the year
Documented Understanding
• We now have an in-depth understanding of company, accounting system, and major
accounts/transactions
• Next step is to use this information to assess risks
SAS 107 Audit Risk Model
Audit Risk Model
• AR = IR x CR x DR
• where:
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk (Details/Analytics)
• Solve for DR:
DR = AR / (IR x CR)
Applying Model
• Use qualitative measures
• LOW = HIGH, MED, LOW
• LOW = LOW, MED, MED
Restated Model
• AR = RMM * DR
7
o AR = Audit Risk
o RMM = Risk of material misstatement
o DR = Detection Risk
Factors Influencing our assessment of risks
• Routine Transactions
• Some transactions that are routine, noncomplex and systematically processed may have
lower inherent risks. SAS 99, on Fraud, however, reminds us that some routine
transactions, such as cash, are more susceptible to fraud, and therefore have greater
inherent risk.
• Significant Risk Factors
• SAS 109 also describes some transactions as significant and requires additional audit
procedures. Significant risks often relate to non-routine or unusual transactions.
Transactions requiring manual or management intervention, complex calculations, or
estimates typically increase the assessment of inherent risk.
Financial Statement Risks
• Overall responses to address the assessed risks of material misstatement at the financial
statement level may include
o Emphasizing professional skepticism
o Assigning more experienced staff or those with specialized skills
o Providing more supervision
o Incorporating additional elements of unpredictability in the selection of audit
procedures
o Changes to the nature, timing, or extent of audit procedures
Prior Year Substantive Tests
• Evidence from substantive procedures in a prior audit provides little or no audit evidence
for the current period.
• If evidence obtained from substantive procedures in a prior audit, perform procedures
during the current period to establish the continuing relevance of the audit evidence.
Summary
• Gain understanding of client and assess risk on all engagements
• Audit approach will vary by client, by account, by assertion
• Mix of substantive and control testing
• Document link between risk assessment and auditing procedures
Reporting on Internal Control Matters
• SAS 112, Communications on Controls has been superseded. CPA has three options
with standards for internal control communications & reporting
• SAS 115 Communications on controls identified in audit
• SSAE 15 provides auditor of a non-public entity with the same guidelines as PCAOB AS
5
• Follow SSAE when you are performing an integrated examination of internal controls
while auditing the financial statements
8
• Effective 12/15/2008
AICPA Clarity Project
• Mirrors the IAASB’s Clarity Project
• Address concerns over the clarity, use of terms, and the length and complexity of auditing
standards
• Improve understandability and consistent application of auditing standards
• Make structural improvements to format of standards
Primary Impact of Clarity Project
• To establish objectives of each of the standards that provide a conceptual framework for
the
o Application of professional judgment and
o Obligation related to the objective
• Make structural and drafting changes to make SASs easier to read and understand and to
simplify the SASs by restructuring them.
• AICPA will prepare a Mapping Document for each section of Auditing Standards
Redrafting Standards
• ASB will redraft all SASs
• There will be little impact from a procedural point of view in the redrafting of the
standards
Redrafting will:
• Converge U.S. and ISA standards
• Some material will be moved to new SASs
• No significant changes from existing SASs
• Will move SASs to a more principles based format with application section (audit steps
to achieve principles)
XBRL
• XBRL (extensible business reporting language)
• XBRL is an XML-based framework that provides a standards-based method to prepare,
publish, extract, and exchange financial statements
• Not new accounting standards but how we communication in digital language
• Uses “tags” to identify information
Filing Requirements
• SEC will phase in required XBRL reporting over three year period beginning June 15,
2009
• Other Federal Agencies
o Bill introduced in Congress in May that would require all Federal Agencies to
adopt XBRL reporting
What’s New in SSARS
9
Survey on Independence in Compilations
• ARSC conducted survey to determine how important is independence in a compilation
engagement
Question 1: Should SSARS No. 1 state that independence is not required in compilation and
delete requirement to disclose lack of independence?
• Yes 41.8%
• No 50.1%
• ARSC Conclusion
o It would be inappropriate to delete independence requirement or to delete
disclosing when not independent
• In compilation, if not independent disclose fact
Question 2: Expand Disclosure - Should SSARS No. 1 be revised to allow accountant to
describe reasons for lack of independence in compilation
• Yes 57.9%
• No 32.5%
Exposure Draft
• Written engagement letter would be required for compilations
• For both Compilations and Reviews, Independence remains an element for reporting
• If independent, no change in reporting
Compilations
• If not independent because:
o Family relationship
o Direct financial relationship
o Perform internal control service
• Reporting options:
o State not independent without reason
o State not independent with general reason
Reviews
• If not independent because:
o Perform internal control service
• Include explanatory paragraph in review report
• Note: to perform review must be independent in all other aspects other than performing
internal control services
Rewriting SSARS: An Exposure Draft on dividing SSARS into “Chapters”
Chapter on Reviews
• Review Risk
10
• The terms review evidence and review risks are introduced into the review literature.
These concepts are the same as in the audit literature.
• Will not require same effort on risk assessment as in audit but does add a new dimension
to Reviews
Chapter on Compilations
• Knowledge of the Client
o The client’s business including a general understanding of the client’s
organization, its operating characteristics, and the nature of its assets, liabilities,
revenues, and expenses
o Accounting principles and practices used by the client and unusual accounting
policies and procedures that come to the accountant’s attention
o Understanding of the entity’s business is ordinarily obtained through experience
with the entity or its industry and inquiry of the entity's personnel
• Term risk assessment not used in new SSARS
• However, description of understanding client and industry is familiar (sounds like SAS
wording)
11
