1 auditing standards update nasact conference august 14, 2012 james r dalkin
TRANSCRIPT
1
Auditing Standards Update
NASACT Conference
August 14, 2012
James R Dalkin
American Institute of CPAs
AICPA Standards Update
2
Technical Update - AICPA
• Auditing Standards• Clarity Project • SAS 125 – Restricting the Use of an Auditor’s
Report• Group Audits• SAS 118 –120 - Supplementary Information
• All effective for audits of financial statements beginning on or after 12/15/2010 (early application permitted)
• Relevant Audit Guides
3
Technical Update – AICPA - Clarity
• Standards Issued• SAS No. 122, Statements on Auditing Standards:
Clarification and Recodification • SAS No. 123, Omnibus Statement on Auditing Standards–
2011• SAS No. 124, Financial Statements Prepared in
Accordance With a Financial Reporting Framework Generally Accepted in Another Country
• SAS No. 125, Alert That Restricts the Use of the Auditor’s Written Communication
• Effective for audits of periods ending on or after December 15, 2012; no early implementation
4
Technical Update – AICPA Clarity
• AU Section numbers will change to correspond to ISA numbers
• Many changes not intended to significantly impact practice, but some will have a significant effect
• Additional Quality Control guidance• QC responsibilities for the audit more specifically described• Overall QC function remains “firm” responsibility, but
responsibilities are engagement partner’s and engagement team’s
• Some changes in audit report to more clearly describe management’s responsibility
• New format to use report headings
5
Technical Update – AICPA Clarity
• Keep in mind that many of the clarity standards have “governmental consideration” paragraphs that are specific to the public sector
• May cover Yellow Book/compliance audit considerations
• May cover financial statement audit considerations
6
Technical Update – AICPA Clarity
• Group Audit Standard Will Have Bigger Impact• More specific as to what group engagement partner is
responsible for• Will affect many governmental and NPO financial
statement audits• Still working to determine effect on compliance audits
• Listen to an archived GAQC Web event, New Group Audits Standard and Its Effect on Your Governmental and Not-For-Profit Audits
7
Technical Update – AICPA Clarity
• Clarity section of AICPA.org• Standards
• Videos• Mapping from extant to new standards• More
• Listen to an archived GAQC Web event titled, Implementing the Clarified SASs in a Governmental and Not-For Profit Audit Environment: What, When, and How?
8
Technical Update – AICPA Clarity
• SAS No. 125 - Government Auditing Standards reports (including A-133 reports) will contain purpose alert instead of restriction alert
• Pay particular attention to effective date• Effective for the auditor’s written communications related to
audits of financial statements for periods ending on or after 12/15/12
• For all other engagements conducted in accordance with GAAS, this SAS is effective for the auditor’s written communications issued on or after 12/15/12
9
Technical Update
• Single audit reports issued after 12/15/12, new wording must be used (could affect 6/30/12 audits)
• Yellow Book reports associated with f/s audit, new wording not used until periods ending on or after 12/15/2012
10
Technical Update – AICPA – SAS 118-120Relationship of GAAP-Defined SI and GAAS
11
Technical Update – AICPA – SAS 118-120
SAS No. 118, Other Information in Documents Containing Audited Financial Statements•Requires auditor to
• Read the information to identify material inconsistencies• Make appropriate arrangements to obtain the OI prior to the report
release date – if not possible, read as soon as practicable• Communicate auditor’s responsibility on OI & results to those charged
with governance
•Revisions/communication required if auditor finds material inconsistencies
• How/where depend upon whether management makes revisions & whether material inconsistencies were found prior/post to release date
•Discuss material misstatements of fact•Illustrative disclaimer language provided but not required
12
Technical Update – AICPA
SAS No. 119, Supplementary Information in Relation to the Financial Statements as a Whole•Scope
• When the auditor is engaged to report on whether SI is fairly stated, in all material respects, in relation to the f/s as a whole
•Requires the auditor to determine certain conditions are met•Provides for specific management representations
13
Technical Update – AICPA
SAS No. 119, Supplementary Information in Relation to the Financial Statements as a Whole•Specific procedures using the materiality level used in the audit of the F/S
• However, keep in mind that auditor has to perform procedures beyond SAS No. 119 due to the compliance audit
•Consideration of subsequent events not required for SI, however still have to consider any information related to the F/S•Reporting requirements under various scenarios•Dating – not earlier than the date on which the auditor completed procedures on SI
14
Technical Update – AICPA
SAS No.120, Required Supplementary Information•RSI: Information that a designated accounting standard setter requires to accompany an entity’s basic financial statements•Establishes auditor’s objectives for RSI•Establishes presumptively mandatory auditor requirements•Reporting
• Requires explanatory paragraph in all circumstances that refers to RSI
• Establishes reporting requirements
15
Technical Update – AICPA - Audit Guides
•Primary Focus
• Government Auditing Standards & Circular A-133 Audits
• Other Industries Include• State and Local Governments• Not for Profit Entities• Health Care Entities• Gaming• Sampling
• Audit Risk Alerts• Checklists & Illustrative Statements
16
Technical Update – AICPA Audit Guides
• AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits
• 2012 edition issued in May • SAS No 119 is fully incorporated into guide (including the
illustrative reports and SEFA practice aids in chapter 7)• Appendix added with a summary of 2011 Yellow Book revisions • Two new “clarity” Appendixes
• Information on AU-C sections with substantive changes or significant clarifying changes resulting from clarity
• Table that maps current AU sections to the new AU-C section numbers
• GAS-A133 Audit Risk Alert Coming Soon• Guide - Looking forward
• Clarity• New Yellow Book
17
Technical Update – AICPA – Audit Guides
• AICPA A&A Guide, State and Local Governments
• 2012 Edition expected in July 2012• Incorporated GASB 62 (earlier than normal) but did so with
appropriate footnotes to assist those that have not early implemented.
• Also updated for SAS Nos. 118, 119 & 120; illustrative reports updated for these statements and will also be posted on GAQC Web site
• Other SLG Publications Coming Soon!• Updated SLG Practice Aid for Other Comprehensive Basis
of Accounting • SLG Audit Risk Alert
18
Technical Update – OMB Compliance Supplement – Emphasis Areas
• An auditor may consider a Type A program or cluster to be low-risk if all of the following conditions exist:
• Program or cluster had Recovery Act expenditures in the prior audit period;
• Program or cluster was audited as a major program in EITHER OF THE TWO PRIOR AUDIT PERIODS;
• Recovery Act expenditures in the current audit period are less than 20% of the total program or cluster expenditures; and
• Auditor has followed Section 520(c) and 525 of OMB Circular A-133 and determined that the program or cluster is otherwise low-risk
19
Technical Update – OMB Proposed Single Audit Changes
• Proposed Changes to Single Audit• OMB issued an Advance Notice of Proposed Guidance titled, Reform of
Federal Policies Relating to Grants and Cooperative Agreements; cost principles and administrative requirements (including Single Audit Act)
• Why changes now?• GAQC Executive Committee task force responded to the OMB Advance
Notice on behalf of AICPA• Feedback also obtained from general membership, other volunteer
AICPA committees, and state societies• Comment letter can be accessed on GAQC Web site (www.aicpa.org/GAQC)
20
Technical Update – OMB Proposed Single Audit Changes
• Potential Changes• Increase audit threshold from $500K to $1M• Establish new category of Single Audit (Entities between
$1-3M)• Changes for larger Single Audits >$3M• Changes to cost principles and administrative
requirements
21
Looking Forward
• OMB to analyze the feedback received on Advance Notice
• Proposed regulatory changes may be released for comment before the end of the calendar year
• Revisions to OMB Circular A-133• Revisions to the OMB Cost Principles (A-21, A-87, A-122)• Revision to Administrative Requirements (A-110, Common
Rule)
• No plans that we are aware of to amend the Single Audit Act
22
23
2011 Yellow BookEffective Dates
• Effective for financial audit periods ending on or after December 15, 2012
• Effective for attestation periods ending on or after December 15, 2012
• Effective for performance audits starting on or after December 15, 2011
• Early adoption is not permitted
2424
Primary Yellow Book Changes
• Updated independence• Included a conceptual framework
• Focused on converging where practical• Incorporated clarified SASs• Fewer differences
• Added documentation requirements• Additional documentation in independence• Focus on non-audit services
• Made minor changes for performance audits
2525
General Standards: Independence
Conceptual Framework• Allows the auditor to assess unique circumstances• Adaptable • Consistent with AICPA and IFAC frameworks
Significant differences from ET-101-3• Entry point for use of the framework• Emphasis on services “in aggregate”• Documentation requirement
2626
Applying the Framework
• New approach combines a conceptual framework with certain rules (prohibitions)• Balances principle and rules based standards• Serves as a hybrid framework
• Certain prohibitions remain• Generally consistent with Rule 101 AICPA
• Beyond a prohibition• Apply the conceptual framework• Will be used more often than AICPA
26
27
Chapter 3 – General Standards: Independence
Threats could impair independence• Do not necessarily result in an independence
impairment
Safeguards could mitigate threats • Eliminate or reduce to an acceptable level
28
GAGAS Conceptual Framework for Independence
Assess condition or activity for threats to independence
Assess safeguard(s) effectiveness
Identify and apply safeguard(s)
Assess threat for significance
Is threat significant?
Threat identified?
Is threat eliminated or reduced to an acceptable level?
Yes
Yes
Document nature of threat and any safeguards applied
Yes
No
Independence impairment; do
not proceed
No
Is threat related to a nonaudit service?
Is the nonaudit service specifically prohibited in GAGAS paragraphs
3.36 or 3.49 through 3.58?No
No
Yes
Yes
Proceed
Proceed
Proceed
No
2929
Documentation RequirementConceptual Requirement
New documentation requirement• Must document when safeguards have been
applied• Beyond the threat level• Only once safeguards are applied• Document how safeguards sufficiently
mitigate the threats
3030
IndependenceCategories of Threats
1. Management participation threat2. Self-review threat3. Bias threat4. Familiarity threat5. Undue influence threat 6. Self interest threat7. Structural threat
3131
Routine Audit Services and Nonaudit Services
Routine audit services pertain directly to the audit and include:
• Providing advice related to an accounting matter
• Researching and responding to an audited entity’s technical questions
• Providing advice on routine business matters• Educating the audited entity on technical
matters
Other services not directly related to the audit are considered nonaudit services
3232
Routine Audit Services and Nonaudit Services
Services that are considered non-audit services include:• Financial statement preparation• Bookkeeping services• Cash to accrual conversions (a form of
bookkeeping)• Other services not directly related to the audit
Unless specifically prohibited, nonaudit services MAY be permissible but should be documented
• In relation to the conceptual framework• In relation to the auditor’s assessment of
managements’ skill, knowledge or experience
33
Nonaudit Services
• Certain services may be permitted• First, determine if there is a specific prohibition• If not, the auditor should assess the nonaudit
service’s impact on independence using the conceptual framework
34
Assessing Significance in the Conceptual Framework for Non-audit services
The framework requires the auditor to assess the significance of threats
• Threats related to non-audit services often include
• Management participation threat• Self review threat
• Indicators of a significant threat include:• Level of services provided (aggregation assessment)• Significance to the audit objective• Basic understanding of the service enough to recognize
material errors• Facts and circumstances that increase the perception that
the auditor is working as part of management
3535
Preconditions to Performing Nonaudit Services
• Management should take responsibility for non-audit services performed by the auditors
• Auditors should document their understanding with management regarding the non-audit service
• Auditors should assess (AICPA) and document (GAGAS) whether management possesses suitable skill, knowledge, or experience to oversee the nonaudit service
3636
Assessing Management’s Skill, Knowledge, or Experience
Factors to document include management’s:• Understanding of the nature of the service• Knowledge of the audited entity’s mission and
operations• General business knowledge• Education• Position at the audited entity
Some factors may be given more weight than others
GAGAS does not require that management have the ability to perform or reperform the service
37
Sufficiency of Skills, Knowledge and Experience
Sufficient skills, knowledge and experience may be judged in part based on:
• Ability of the identified client personnel to identify material errors or misstatements in a non audit service work product
• Ability of the client to sufficient background to understand the nature and results of the audit service
• Ability of management to take responsibility and understand the work
Client prepared material in poor condition may indicate the client is not capable of taking responsibility for the service. Significant audit findings and adjustments may also be indicative of this issue.
38
Safeguards – Non audit services
• Auditors should document safeguards when significant threats are identified.
• Auditor has responsibility to perform the assessment, this cannot be a management assertion
• Assessment should be in writing and indicate actions the auditor has taken to mitigate the threat
• Assessment should include a conclusion• Auditor should document actions taken to mitigate the
threat• Examples may include:
• Actions taken by the client to gain an understanding of the non-audit service and detect any errors
• Actions taken by the auditor to preserve independence such as an extra level of review or secondary review
39
Bookkeeping Services
May be performed provided the auditor does not• Determine or change journal entries, account
codings or classifications for transactions, or other accounting records without obtaining client approval
• Authorize or approve transactions• Prepare source documents• Make changes to source documents without client
approval
Consistent with AICPA ET 101-3
40
Prohibitions within Internal Audit
Services provided by external auditors• Setting internal audit policies or the strategic
direction
• Deciding which recommendations resulting from internal audit activities to implement
• Taking responsibility for designing, implementing and maintaining internal control
4141
Prohibitions within IT Services
External auditors may not• Design or develop an IT system that would be
subject to or part of an audit• Make significant modifications to an IT system’s
source code • Operate or supervise an IT system
Significant change in auditing prohibitions for future periods after a system implementation
42
Prohibitions within Valuation Services
External auditors may not provide valuation services that
• Would have a material effect, • Involve a significant degree of subjectivity, and• Are the subject of an audit
43
Prohibitions Related to Internal Control Monitoring
External auditors• May not provide ongoing monitoring services• May not design the system of internal controls
and then assess its effectiveness
• May evaluate the effectiveness of controls
Management is responsible for designing, implementing and maintaining internal control
4444
Financial Statement Preparation
Auditors may prepare financial statements• Considered by GAGAS a non-audit service• Must apply the conceptual framework• Two additional documentation requirements
• Document application of safeguards• Document assessment of management’s skill,
knowledge or expertise
45
Assessing Significance for Bookkeeping and Financial Statement Preparation
Relative significance is a continuum• Indicators of significant threats for bookkeeping
and financial statement preparation may include:• Financial statement preparation with other non-audit
services such bookkeeping or cash to accrual conversions• Condition of client prepared books and records• Level of anticipated “correction” or adjustments to client
prepared schedules and documents• Condition of the general ledger/trial balance
• Less significant may be:• Purely mechanical calculations
4646
Independence Q&A Guide
GAO will retire current Government Auditing Standards: Questions and Answers to Independence Standard
Questions guidance
47
Revisions to Timeframes Related to IT and Other Services
Q&A guidance prohibited installing or designing a system and subsequently performing an audit
• This prohibition has been deleted
Other potential considerations • Independence in appearance for subsequent
periods
Possible Safeguard: One audit cycle performed by another audit organization after the nonaudit service completion date provide a safeguard
48
General Standards: Continuing Professional
Education (CPE)
No revision to overall requirements:• Minimum of 24 hours of CPE every 2 years
• Government• Specific or unique environment• Auditing standards and applicable accounting
principles• Additional 56 hours of CPE for auditors involved in
• Planning, directing, or reporting on GAGAS assignments; or
• Charge 20 percent or more of time annually to GAGAS assignments
• Minimum of 20 hours of CPE each year
49
General Standards: Competence
CPE requirements for external specialists:• External specialists are not required to meet
GAGAS CPE requirements, but should be qualified and maintain professional competence
50
General Standards: Competence
CPE requirements for internal specialists:• Internal specialists serving as auditors are
subject to all CPE requirements• Specialized CPE count towards the required 24
hours• Internal consulting specialists are not required
to meet GAGAS CPE requirements, but should be qualified and maintain professional competence
51
General Standards: Quality Control and Assurance
Harmonized quality control system with AICPA standards
Additional requirements for consistency with AICPA• Communicate deficiencies noted • Recommend remedial action
52
Overall Changes for Financial Audits
53
Overall Changes for Financial Audits
• Considered Clarity Project conventions• Streamlined language to harmonize with AICPA• Clarified additive requirements
No new requirements were added for financial audits and attestation engagements
54
Requirements Beyond AICPA
Additional requirements relate to• Auditor communication• Previous audits and attestation engagements• Noncompliance with provisions of contracts or
grant agreements, or abuse• Developing elements of a finding • Documentation
For attestation engagements, this applies only at the examination level
55
Requirements Beyond AICPA
Additional requirements relate to• Reporting auditors’ compliance with GAGAS• Reporting on internal control, compliance with
provisions of laws, regulations, contracts, and grant agreements, and other matters
• Reporting views of responsible officials• Reporting confidential or sensitive information• Distributing reports
56
Special Considerations for Government Engagements
Applying certain AICPA standards • Materiality• Early communication of deficiencies (SAS No.
115)
57
Removed Duplicative Requirements
Financial Audits• Restatements• Internal control deficiency definitions • Communication of significant matters• Consideration of fraud and illegal acts
Attestation Engagements • Internal control deficiency definitions
58
Chapter 5Attestation Engagements
59
Chapter 5 - Attestation Engagements
Separated attest requirements • Examination• Review• Agreed-Upon Procedures
Update considerations• Identified practice issue• Clarified distinctions between engagement
types• Emphasized AICPA reporting requirements
60
Chapter 5 - Attestation Engagements
Within each section, emphasized • Citing compliance with GAGAS• Required elements of AICPA reporting • Communicating the services to be performed
61
Chapters 6 & 7Field Work & Reporting
Standards for Performance Audits
62
Chapter 7 - Performance Audits: Reporting - Modifications
Updates to fraud requirements• Emphasized fraud reporting to occurrences
significant to the audit objectives • Fraud that is not significant within the context of
the audit objectives but warrants the attention of those charged with governance should still be communicated in writing to officials