new statements on auditing standards and the yellow book...environment, government auditing, or the...
TRANSCRIPT
New Statements on Auditing Standards and the Yellow Book
2018 Yellow Book
NASACT Emerging LeadersConference
April 2020
Session Objective
This presentation covers the 2018 Yellow Book and highlights key areas that will impact 2020 audits.
2
Consideration of Independence in the Yellow Book• GAGAS’s practical consideration of independence consists of
four interrelated sections:• General requirements and application guidance• Conceptual framework for making independence
determinations• Independence and nonaudit services• Documentation (para. 3.17)
3
Independence General Requirements
• Independence of Mind• Independence in Appearance (para. 3.21)
• Statutory instances where independence is impaired (para. 3.25)• Example: requirement for auditors to
serve in official roles that conflict with indepence requirements (e.g., voting member of management committee with no safeguards).
• Modified GAGAS compliance statement.
4
Conceptual Framework for Independence
• Auditor’s should apply the conceptual framework at the audit organization, engagement team, and individual auditor level to:• Identify threats to independence;• Evaluate the significance of the threats identified, both
individually and in the aggregate;• Apply safeguards as necessary to eliminate the threats or
reduce them to an acceptable level. (para. 3.27)
5
Conceptual Framework for Independence
6
Categories of Threats to Independence
• Self-interest threat• Self-review threat• Bias threat• Familiarity threat• Undue influence threat• Management participation threat• Structural threat (para. 3.30)
7
Safeguards to Independence Threats
• Safeguards are actions or other measures, individually or in combination, that auditors and audit organizations take that effectively eliminate threats to independence or reduce them to an acceptable level.
• Safeguards vary depending on the facts and circumstances (para. 3.49)
• Examples of safeguards are listed in paragraphs 3.50 and 3.69. These provide a starting point and is not an exhaustive list.
8
Independence and Nonaudit Services
• Consider: does the nonaudit service create a threat to independence?
• If the nonaudit services could create a threat to independence, auditor’s should (among others):• Ensure management has the skills,
knowledge and experience to oversee and understand the services provided.
• Obtain agreement with management about management responsibility for oversight, evaluation and responsibility for the services (para. 3.76)
9
Nonaudit Services vs. Routine Activities
• Routine activities are not considered nonaudit services (para. 3.70).
• Examples include (para. 3.71):
• providing advice to the audited entity on an accounting matter as an ancillary part of the overall financial audit;
• providing advice to the audited entity on routine business matters;• educating the audited entity on matters within the technical expertise of the
auditors; and• providing information to the audited entity that is readily available to the
auditors, such as best practices and benchmarking studies
10
Safeguards Related to Nonaudit Services
Examples of safeguards for addressing threats to independence related to nonaudit services (para. 3.69):
a. not including individuals who provided the nonaudit service as engagement team members;
b. having another auditor, not associated with the engagement, review the engagement and nonaudit work as appropriate;
c. engaging another audit organization to evaluate the results of the nonaudit service; or
d. having another audit organization re-perform the nonauditservice to the extent necessary to enable that other audit organization to take responsibility for the service.
11
Additional Independence Guidance
• Application guidance to define management's “Skills, Knowledge and Experience” (SKE) an indicator is management’s ability to recognize a material error in services provided (para. 3.79 – 3.81)
• Application guidance to clarify that certain services provided by government audit organizations would generally not create threats to independence allowability of certain functions such as investigations (para. 3.72)
12
Independence Threats related to Preparing Financial Statements & Accounting Records
Nonaudit services performed by auditors related to financial statements and accounting records either:
13
Impair Independence
Are Significant Threats
The auditor prepares financial statements in their entirety (para. 3.88).OR The auditor determines that a service related to preparing financial statements or accounting records is a significant threat (para. 3.93).
Are Threats • Evaluate threat and document evaluation (para. 3.90).• Typing, formatting, printing, binding: not likely significant (para.
3.95)
Determining or changing journal entries and other accounting entries without obtaining management’s approval (para. 3.87)
Document the threats and safeguards applied to eliminate and reduce threats to an acceptable level (para. 3.33).ORDecline to perform the service (para. 3.88).
Additional Threats to Independence
• Other services not identified earlier include (but are not limited to):• Recording/posting transactions which
management has approved to the general ledger or trial balance;
• Preparing certain line items or sections of the financial statements based on the trial balance;
• Preparing account reconciliations that identify reconciling items for the audited entity management’s evaluation (para. 3.89).
• Auditors should evaluate and document the significance of these threats (para 3.90).
14
Evaluating and Documenting Threats
• Factors that are relevant for evaluation for the threats identified in the previous slide, auditors include:• The extent to which the service is material;• The subjectivity in determining appropriate amounts in the
financial statements;• The extent of the audited entity’s involvement in determining
significant matters of judgment.
15
Independence Considerations for Preparing Accounting Records and Financial Statements
16
CPE Requirements and Guidance
• Removed the 4-hour GAGAS Qualification CPE requirement proposed in the exposure draft
• Added application guidance related to obtaining GAGAS specific CPE each time a new Yellow Book revision is issued (para. 4.19)
17
CPE Requirements and Guidance (cont.)
• Similar to the 2011 Yellow Book, CPE requirements are:
(para. 4.16)
• Refined lists of examples of topics and subjects that qualify for the 24 hour and 56 hour requirements (paras. 4.21 - 4.24)
18
CPE Hours Subject Matter Categories of CPE
24 hoursSubject matter directly related to the government environment, government auditing, or the specific or unique environment in which the audited entity operates
56 hours Subject matter that directly enhance auditors’ professional expertise to conduct engagements
Competence of Specialists
Engagement team should determine whether specialists are qualified and competent in their areas of specialization (para. 4.12).
External specialists are not subject to Yellow Book CPE requirements (para. 4.30).
Internal specialists who are not involved in planning, directing, performing engagement procedures, or reporting are not subject to Yellow Book CPE requirements (para. 4.30).
IT auditors are considered auditors and thus are subject to the CPE requirements (para. 4.13).
19
Peer Review Requirements
Peer review section differentiates requirements for those audit organizations affiliated with a recognized organization.
20
Audit organization affiliated with a
recognized organization?
Yes
No
Peer Review Requirements
All audit organizations comply with GAGAS peer review requirements for:
Assessment of peer review risk (paras. 5.66 & 5.67),
Peer review report ratings (paras. 5.72 – 5.74), and
Availability of peer review report to the public (paras. 5.77 –5.80).
21
Peer Review Requirements: Not Affiliated
Audit organizations not affiliated with a recognized organization also comply with additional GAGAS peer review requirements in areas including:
Peer review scope (para. 5.82),
Peer review intervals (para. 5.84),
Written agreement for peer review (para. 5.86),
Peer review team (para. 5.89),
Report content (para. 5.91), and
Audit organization’s response to the peer review report (paras. 5.93 – 5.94).
22
Peer Review Report Ratings
23
Pass
Pass with deficiencies
Fail
Communicate deficiencies in the peer review report
Communicate deficiencies and significant deficiencies in the
peer review report
Quality Control
New specific requirements for quality control related to:
Annual independence affirmation (para. 5.09),
Undertaking engagements only if the audit organization has the capabilities, including time and resources, to do so (para. 5.12),
Consultation on difficult or contentious issues (para. 5.24),
Supervision and review of work (para. 5.36), and
Assigning an engagement partner or director to each engagement (para. 5.37).
24
Monitoring of Quality
New specific requirements for monitoring of quality related to:
Communication of monitoring sufficient to enable corrective actions (para. 5.44), and
Evaluation of deficiencies noted during monitoring (para. 5.45).
25
Internal Control: Financial Audits and Examination Engagements
Considering a comprehensive internal control framework such as Standards for Internal Control in the Federal Government or Internal Control –Integrated Framework can help auditors identify the cause of findings and develop recommendations. (paras. 6.18 & 7.20)
26
Elements of a Finding
Condition: the situation that exists.
Criteria: standards for what should be.
Cause: the explanation of why the condition deviates (if it does) from the criteria.
Effect: the actual or potential consequences of allowing the condition to persist.
27
Internal Control: Performance Audits
Auditors should document the significance of internal control to performance audit objectives (para. 8.39).
28
Internal control significant to
audit objectives?
Yes
No
Document and Proceed
(See next slide)
Document
Determine, as applicable, for new or revised objectives
Internal Control: Performance Audits (cont.)
Internal control significant to audit objectives =
Obtain an understanding of internal control that is significant to the audit objectives (para. 8.40).
Assess and document the assessment of internal control to the extent necessary to address the audit objectives (para. 8.49).
Evaluate and document the significance of identified internal control deficiencies within the context of the audit objectives (para. 8.54).
Consider internal control deficiencies when developing the cause element of findings (para. 8.117).
Identify in the audit report which internal control components and principlesare significant (para. 9.30).
29
Yes
Fraud, Waste, and Abuse
30
FRAUD ABUSEWASTE
New Considerations for Addressing Waste
• Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose.
• Waste can include activities that do not include fraud and abuse and does not necessarily involve a violation of law.
• Waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight.
(paras. 6.21, 7.23, & 8.120)
31
Waste and Abuse
Auditor considerations related to waste and abuse are intended to be consistent.
Auditors are not required to perform procedures to detect waste or abuse.
Evaluating internal control in a government environment may include consideration of internal control deficienciesthat result in waste or abuse.
(paras. 6.20, 7.22, & 8.119)
32
New SAS and SSAE since July 2018
33
Standard Issue Date Effective DateSAS No. 134 May 2019 December 15, 20201
SAS No. 135 May 2019 December 15, 20201
SAS No. 136 July 2019 December 15, 20201
SAS No. 137 July 2019 December 15, 20201
SAS No. 138 December 2019 December 15, 20202
SSAE No. 19 December 2019 July 15, 20213
SSAE No. 20 December 2019 December 15, 20203
1Periods ending on or after this date. Early implementation not permitted.2Periods ending on of after this date.3For reports dated on or after this date.
SAS No. 134
• Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements
• Effective for periods ending on or after December 15, 2020. Early implementation not permitted.
• Summary:• SAS No. 134 section 700 - Forming an Opinion and Reporting
• Auditor’s opinion is required to be presented first.• Basis of opinion follows the opinion
• Including a statement that the auditor is required to be independent and meet other relevant ethical responsibilities.
34
SAS No. 134 (cont.)
• Summary (cont.)• SAS No. 134 section 700 (cont.)
• Enhanced auditor reporting relating to going concern.• Auditor to include a separate section titled
“Substantial Doubt About the Entity's Ability to Continue as a Going Concern” when substantial doubt exists.
• Expands description of the auditor’s responsibilities• More regarding responsibilities relating to professional
judgment, professional skepticism, and communications with those charged with governance.
• Requires the auditor to communicate with those charged with governance about significant risks identified.
35
SAS No. 134 (cont.)
• Summary (cont.)• SAS No. 134 section 701 - Key Audit Matters (KAM)
• When engaged to include KAM, section 701 addresses what and how to communicate KAM in the auditor’s report.
• SAS No. 134 section 705 – Modifications to the Opinion• Aligns form and content of the auditor’s report with
section 700 noted above when a opinion is other than unmodified.
• Does not change circumstances and type of modifications to an opinion.
36
SAS No. 134 (cont.)
• Summary (cont.)• SAS No. 134 section 706 – Emphasis-of-Matter (EOM) and
Other-Matter Paragraphs• Clarifies the relationship between EOM and KAM
• When engaged to communicate KAM, an EOM paragraph cannot be used as a substitute for a KAM section.
• SAS No. 134 also includes new requirements in AU-C 315 and AU-C 330
• Includes enhanced application material in these and other AU-C sections.
37
SAS No. 135
• Omnibus Statement on Auditing Standards - 2019• Effective for periods ending on or after December 15, 2020.
Early implementation not permitted.• Summary:
• More closely aligns standards with PCAOB standards.• Mainly amends:
• AU-C 260 – Communications With Those Charged With Governance
• Adds additional communication regarding the entity's significant unusual transactions and potential effects of uncorrected misstatements to future periods.
38
SAS No. 135 (cont.)
• Summary (cont.)• Mainly amends:
• AU-C 550 – Related Parties• Adds/amends
requirements and application material to heighten the auditor’s focus on related parties relationships and transactions.
39
SAS No. 135 (cont.)
• Summary (cont.)• Mainly amends:
• AU-C 240 – Consideration of Fraud in a Financial Statement Audit
• Introduces and defines the term significant unusual transactions.
• Includes requirements for evaluating these transactions and guidance and related to the transactions.
40
SAS No. 136
• Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA
• Effective for periods ending on or after December 15, 2020. Early implementation not permitted.
• Summary:• Only applicable to audits of employee benefit plans subject to
ERISA.• Codified in new AU-C section 703. For audits of ERISA plan, SAS
No. 136 applies instead of AU-C 700 and AU-C 725.09. • ERISA limited scope audit now referred to as an ERISA section
103(a)(3)(C) audit• Electing to exclude certain investments no longer considered a
scope limitation41
SAS No. 137
• The Auditor’s Responsibilities Relating to Other Information Included in Annual Reports
• Effective for periods ending on or after December 15, 2020. Early implementation not permitted.
• Summary:• Supersedes SAS No. 118.• Clarifies the scope of documents that are
subject to auditor procedures.• The auditor obtains written
acknowledgement as to document(s) comprise the annual report.
42
SAS No. 138 and SSAE No. 20
• Amendments to the Description of the Concept of Materiality• Effective for periods ending, or for practioners’ examination or review
reports dated, on or after December 15, 2020.• New standards align the materiality concepts with descriptions of
materiality used by the U.S. judicial system, PCAOB, SEC, and FASB.• ASB believes that the revised definition is consistent with current
practices, and is not expected or intended to change practices.• Revised definition:
• Misstatements, including omissions, are considered to be material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the financial statements.
43
SSAE No. 19
• Agreed-Upon Procedures Engagements• For reports dated on or after July 15, 2021. Early
implementation permitted.• Supersedes SSAE No. 18 AT-C section 215, and amends
certain provisions of section 105• Summary:
• Removes the requirement that the practitioner request an assertion from the responsible party.
• Allows the issuance of general-use reports rather than use by specified parties.
44
Upcoming ASB Projects
• The following projects are on the ASB’s proposed workplan for 2020-2021.• Examination and review attestation standards• SAS No. 134 Conforming Amendments• Audit Evidence (AU-C Section 500)• Estimates (AU-C Section 540)• Risk Assessment (AU-C Section 315)• Management Specialists (AU-C Section 501)• Quality Management (QC Section 10, AU-C Section 220)• Group Audits (AU-C Section 600)• Noncompliance with Laws and Regulations
45
Audit Evidence
• Revisions will deal with:• Use of emerging
technologies• Audit Data Analytics• Professional Skepticism• External Information
Sources• Final SAS due to be issued
in Q1 2020• Will have an effective date
of June 2021
46
Estimates
• Recent changes to International Auditing Standards.• ASB seeks to converge with ISA 540• Changes include (among others):
• Objective based requirements• Enhanced requirements addressing disclosures• Enhanced risk assessment procedures• Expanded documentation requirements
• Proposed effective date of December 15, 2022
47
Compliance Audits
• Exposure draft on AU-C 935 is coming soon.
• AICPA is aiming for an update to AU-C 935 to be in place by mid-2020
48
Current IAASB Projects
• The following IAASB projects are being monitored by ASB• Quality Management (formerly Quality Control)• Risk Assessment• Group Audits• Professional Skepticism• Audits of Less Complex Entities
49
Where to Find the Yellow Book
• The Yellow Book is available on GAO’s website at:www.gao.gov/yellowbook
• For technical assistance, contact us at:[email protected] call (202) 512-9535
50
Thank You
Questions?
51