use of cpa workpapers in financial exams learning · pdf file3 independent/external audit...

1

Use of CPA Workpapers in Financial Exams

Learning Objectives

• Explain the CPA’s testing procedures.

• Use the CPA workpapers more efficiently and effectively in the exam process.

• Explain how to incorporate the IT testing performed by the CPAs into the financial exam process

2

Independent/External Audit Process

• What is an Audit?– An audit consists of a methodical review and objective examination of an

insurer’s financial statements.

– The objective of the auditor’s examination is to express an opinion on thefinancial statements. This expression takes the form of an audit report.

Independent/External Audit Process– Types of Opinions:

• Unqualified – An auditor’s report stating that the financial statements arepresented fairly in all material respects.

• Qualified – An auditor’s report stating that “except for” the effects of the mattersto which the qualification relates, the financial statements are presented fairly, inall material respects.

• Adverse – An auditor’s report stating that the financial statements taken as awhole do not present fairly the financial position or results of operations or cashflows in accordance with accounting principles.

• Disclaimer of Opinion – An auditor’s report stating that the auditor doesnot express an opinion on the financial statements.

• Typically, when a company prepares its financial statements on a Statutory basisthe auditor’s report will express an adverse opinion on U.S. Generally AcceptedAccounting Principles (GAAP) and an unqualified opinion on the regulatory basisof accounting.

3

Independent/External Audit Process• Auditing Standards

– Generally Accepted Auditing Standards• The auditor is responsible for the performance of a properly planned and

executed audit. The criteria for such an audit are the generally acceptedauditing standards (GAAS).

• Statements on Auditing Standards (SAS) are the interpretations of GAAS issuedby the Auditing Standards Board (ASB) of the American Institute of CertifiedPublic Accountants (AICPA).

http://www.aicpa.org/Research/Standards/AuditAttest/Pages/clarifiedSAS.aspx

• The Public Company Accounting Oversight Board (PCAOB) was establishedpursuant to the Sarbanes-Oxley Act of 2002. The PCAOB establishes auditingand related professional practice standards to be used in the preparation andissuance of audit reports for public companies subject to the rules of theSecurities and Exchange Commission (SEC).

Independent/External Audit Process• Audit Risk

– The independent auditors utilize an audit risk model.

– Audit risk is the risk that an auditor issues an incorrect opinion on thefinancial statements. Examples of inappropriate audit opinions include thefollowing:

• Issuing an unqualified audit report where a qualification is reasonably justified;

• Issuing a qualified audit opinion where no qualification is necessary;

• Failing to emphasize a significant matter in the audit report;

• Providing an opinion on financial statements where no such opinion may bereasonably given due to a significant limitation of scope in the performance ofthe audit.

4

Independent/External Audit Process• Audit Risk Model

– Audit Risk = Inherent Risk x Control Risk x Detection Risk

– Audit risk may be considered as the product of the various risks whichmay be encountered in the performance of the audit. In order to keep theoverall audit risk of engagements below an acceptable limit, the auditormust assess the level of risk pertaining to each component of audit risk.

Independent/External Audit Process• Components of Audit Risk

– Inherent Risk• Inherent risk is the risk of a material misstatement in the financial statements

arising due to error or omission as a result of factors other than the failure ofcontrols (factors that may cause a misstatement due to absence or lapse ofcontrols are considered separately in the assessment of control risk).

• Inherent risk is generally considered to be higher where a high degree ofjudgment and estimation is involved or where transactions of the entity arehighly complex.

• For example, the inherent risk in the audit of a newly formed insurance companythat has significant and complex derivative instruments would be significantlyhigher as compared to the audit of a well-established insurance company with afairly conservative investment portfolio that is operating in a relatively stablecompetitive environment.

5


– Control Risk• Control Risk is the risk of a material misstatement in the financial statements

arising due to absence or failure in the operation of relevant controls of theinsurer.

• Organizations must have adequate internal controls in place to prevent anddetect instances of fraud and error. Control risk is considered to be high wherethe audit entity does not have adequate internal controls to prevent and detectinstances of fraud and error in the financial statements.

• Assessment of control risk may be higher, for example, in the case of a smallinsurer in which segregation of duties is not well defined and the financialstatements are prepared by individuals who do not have the necessary technicalknowledge of insurance accounting and finance.


– Detection Risk• Detection Risk is the risk that the auditors fail to detect a material misstatement

in the financial statements.

• An auditor must apply audit procedures to detect material misstatements in thefinancial statements whether due to fraud or error. Misapplication or omission ofcritical audit procedures may result in a material misstatement remainingundetected by the auditor. Some detection risk is always present due to theinherent limitations of the audit such as the use of sampling for the selection oftransactions.

• Detection risk can be reduced by auditors by increasing the number of sampledtransactions for detailed testing.

6

Independent/External Audit Process• Application of the Audit Risk Model

– The audit risk model is used by the auditors to manage the overall risk ofan audit engagement.

– Auditors proceed by examining the inherent and control risks pertaining toan audit engagement while gaining an understanding of the insurer and itsenvironment.

– Detection risk forms the residual risk after taking into consideration theinherent and control risks pertaining to the audit engagement and theoverall audit risk that the auditor is willing to accept.

– Where the auditor's assessment of inherent and control risk is high, the detection risk is set at a lower level to keep the audit risk at an acceptable level. Lower detection risk may be achieved by increasing the sample size for audit testing. Conversely, where the auditor believes the inherent and control risks of an engagement to be low, detection risk is allowed to be set at a relatively higher level.


– Example:• CPA Firm, LLP, is an audit and assurance firm which has recently accepted the

audit of ABC Insurance Company, Inc. (Company). During the planning of theaudit, the engagement manager noted the following information regarding theCompany for consideration in the risk assessment process:

– The Company is a privately held company primarily writing Home Ownersinsurance in the State of Florida;

– The Company is part of a holding system and has a large network ofsubsidiaries to include foreign and domestic joint ventures;

– The Company does not have an internal audit department and its auditcommittee does not include any members with a background in finance assuggested in the corporate governance guidelines;

– It is the firm's policy to keep the overall audit risk below 10%

7


– Example: (Continued)• Inherent risk in the audit of the Company's financial statements is particularly

high because the insurer is operating in a highly regulated sector, thegeographical area within which the Company operates is prone to catastrophes,and the Company has a complex network of related entities which could bemisrepresented in the financial statements in the absence of relevant financialcontrols. The first audit assignment is also inherently risky as the firm hasrelatively less understanding of the insurer and its environment at this stage.The inherent risk for the audit may therefore be considered as high.

• Control risk involved in the audit also appears to be high since the Companydoes not have proper oversight by a competent audit committee concerning thefinancial aspects of the organization. The Company also lacks an internal auditdepartment which is a key control especially in a highly regulatedenvironment. The control risk for the audit may therefore be consideredas high.


– Example: (Continued)

• If inherent risk and control risk are assumed to be 60% each, detection risk hasto be set at 27.8% in order to prevent the overall audit risk from exceeding 10%.

• Working

– Audit Risk = Inherent Risk x Control Risk x Detection Risk

– 0.10 = 0.60 x 0.60 x Detection Risk

– Detection Risk = 0.278 = 27.8%» Note: The detection risk percentage is used by the auditor in calculating sample

sizes.

8

Independent/External Audit Process• Stages of the Audit

– Establishing an Understanding with the Client• An understanding with the client should be established for services to be

performed for each engagement, and this understanding should be documentedthrough a written communication with the client. This written communication isusually in the form of an engagement letter and is required to be signed anddated by the client.

• Items established include:

– Objectives of the engagement

– Management’s responsibilities

– Auditor’s responsibilities

– Limitations of the engagement


– Planning the Audit• Obtain an understanding of the entity and its environment, including its internal

control sufficient to assess risk and design audit procedures.

• Obtain knowledge of the client’s business industry

• Use analytical procedures as a planning procedure.

• Consider materiality and audit risk.

• Develop and document an audit plan – After sufficient planning information hasbeen gathered, a written audit plan is required to be drafted for every audit.

9


– Audit Procedures• Assess the risk of material misstatement

– Inquiries

– Analytical procedures

– Observation and inspection of the client’s activities, inspection of companydocuments, read management reports, board minutes, and internal auditreports, visit the company’s premises and trace transactions through theinformation system.

– Conduct a risk assessment discussion among the audit team.


– Audit Procedures• Assess the risk of material misstatement (Continued)

– As part of the risk assessment process the auditors are required todocument the following:

» The discussion among the audit team;

» Key elements of the understanding of the entity and its environment in the form ofeither (1) Flowcharts (2) Internal Control Questionnaire or Checklists (3) Narrativesor (4) Decision Tables;

» The assessment of the risks of material misstatement;

» The identified risks and related controls.

10


– Audit Procedures• Determine Audit Approach

– The auditors specific approach to identified risks at the relevant assertionlevel may consist of either a fully substantive approach or a combinedapproach.

» Substantive approach – For certain relevant assertions and risks, only substantiveprocedures will be performed. This may occur because either (1) there are noteffective controls relative to the specific assertion; or (2) it would not be efficient totest the operating effectiveness of controls.

» Combined approach – Both tests of the operating effectiveness of controls andsubstantive procedures are used. Typically, if controls are operating effectively,less assurance will be required for substantive testing. (i.e. reduced sample sizes)


– Audit Procedures• Tests of Controls

– Gaining understanding of internal controls» As part of gaining an understanding of the entity the auditor identifies the controls in

place and documents them within one of the forms noted above (i.e. Narrative orFlowchart)

– Evaluate the design of relevant controls and determine whether they havebeen implemented.

» Evaluation of design is performed during the gaining an understanding walk-throughs.

» Since walk-throughs are generally pertinent only at the point in time when they areperformed, the auditors will test a sample of one to determine if the identifiedcontrol was implemented during the period covered by the engagement.

– Design the nature, extent and timing of further audit procedures.

11


– Audit Procedures• Tests of Controls (Continued)

– Tests of controls are performed when the auditor’s risk assessment is basedon the assumption that controls are operating effectively, or whensubstantive procedures alone are insufficient. The auditor is not required toevaluate the operating effectiveness of controls but is required to obtain anddocument an understanding of internal controls. Remember, obtaining anunderstanding of internal controls includes evaluating the design of controlsand determining whether they were implemented during the proper period.

– Tests of operating effectiveness of controls include:» Inquiry (Note: Inquiry alone is not sufficient)

» Inspection

» Observation - Since observations are generally pertinent only at the point in timewhen they are performed, observation should be supplemented with otherprocedures such as inquiry or inspection.

» Reperformance



– Dual Purpose Testing may also be performed. A dual purpose test is a test of controlsthat is performed concurrently with a test of details on the same transaction. Forexample, the auditor may select a sample of paid claims and test the control related toproper approval of claims prior to payment as well as the proper recording of the claimin the system based on underlying support in the claim file to ensure the assertions ofaccuracy, compliance and completeness have been properly addressed.

– Examiner Understanding – When relying upon the auditors’ testing of controls, theexaminer should be aware that, for example, when testing a monthly control theauditors may have tested one month as part of their design and implementationprocedures and then tested two additional months as part of their operatingeffectiveness testing. In this example the total number of months tested would be threebut may appear to be only two if the examiner obtains and relies upon the operatingeffectiveness testing alone.

12



– AICPA Cyclical Control Sampling Table:

Small Population Sample Size Table

Frequency and Population Size Sample Size

Quarterly (4) 2

Monthly (12) 2–4

Semimonthly (24) 3–8

Weekly (52) 5–9


– Audit Procedures• Substantive Procedures

– Substantive procedures are used to detect material misstatements at therelevant assertion level.

– Substantive procedures are designed to be responsive to assessed risks;however, regardless of the assessed risk, substantive procedures arerequired for each material transaction class, account balance or disclosure.Control testing alone is not sufficient to mitigate risks related to these items.

13

Independent/External Audit Process• Key Takeaways:

• The examiner should utilize the External Auditor’s documented discussionamong the audit team, understanding of the entity and its environment (i.e.Industry Analysis and Process Narratives), the Auditor’s written assessment ofthe risks of material misstatement and identified risks and related controls toassist with the examiner with gaining an understanding of the Company, riskdetermination and control identification;

• The External Auditor’s control testing consists of an evaluation of control designduring process walk-throughs, implementation testing to ensure controls were inplace during the audit period and then tests of controls;

• The External Auditor must perform detail testing for all material accounts.

Exhibit E – Documenting Independent / External Audit Testing

14


• How to document Independent / External Audit Testing on Exhibit E

– With the implementation of critical risk category guidance, exam teamshave been granted additional flexibility in relying on the work of auditors toaddress less significant financial reporting risks. The intent of this changeis to allow for even greater efficiencies in utilizing existing audit work toaddress financial reporting risks that don’t fall within the critical riskcategories and aren’t considered to be high financial solvency risks. Inthese situations, the examiner may choose not to place such risks on akey activity matrix.


• How to document Independent / External Audit Testing on Exhibit E

– There is no explicit requirement for the exam team to document which ofthese risks were adequately addressed by the audit function or to providerationale for risks that were originally considered, but ultimately not postedto the matrix. The required documentation is a conclusion regardingwhether a review of financial reporting risks can be reduced based on theeffectiveness of the insurer’s audit function.

– For financial reporting risks that are either designed and designated toaddress a critical risk category or are deemed significant and/or inherentlyhigh by the examiner, the method of reliance on audit work has notchanged.

15


• How to document Independent / External Audit Testing on Exhibit E– As part of the general review and assessment of the audit function, Exhibit

E requires the exam team to review audit work papers to determinewhether material financial statement accounts were appropriatelyreviewed by the external auditor. However, it is up to each individual examteam to determine the level of review to be performed and documentationto be provided in support of this step.

– In determining the level of review to be performed and documented in thisarea, the exam team should keep in mind that the purpose of the criticalrisk category changes are to direct time and resources to the mostsignificant solvency issues facing the company under examination.Therefore, the utilization of audit work should be accomplished in such away that supports this goal to perform an efficient and effectiveexamination focusing primarily on the most significant solvencythreats facing the company.


• Steps to Document Reliance on External Audit Testing– Perform a High-Level Review of the Audit Function in Phase 1

• As the purpose of leveraging work performed by the audit function of an insureris to gain exam efficiencies, exam teams should attempt to limit the total amountof time spent in reviewing the existing audit work in Phase 1. While a meetingwith the external auditor and completion of the steps within Exhibit E arerequired, examiners are encouraged to limit their review of specific work papersto gaining a general understanding of the scope of the audit and the level oftesting performed. In all cases, the exam team should conclude on thecompetency and adequacy of the audit function. If the function, or portionsthereof (i.e. internal or external audit), is not deemed to be effective, the examteam should limit the reliance it places on the function in the remaining phasesof the examination.

16


• Steps to Document Reliance on External Audit Testing– Conclude Whether a Review of Financial Reporting Risks Will be Reduced

• As part of the assessment of the insurer’s external audit function, the examteam should conclude as to whether its review of financial reporting risk will bereduced based on the effectiveness of the function. If so, the exam team maychoose to list the areas of financial reporting risk that will be excluded fromreview, supported by a brief summary of the audit work performed in thoseareas. This summary does not need to link in detailed supporting work papers,but may include a link to an audit program if deemed necessary or appropriate.


• Steps to Document Reliance on External Audit Testing– Utilize Relevant Audit Work to Address Identified Risks in Ph. 3 and Ph. 5

• For those remaining risks that are identified for review through the risk matrix (orExhibit V), relevant work performed by the audit function should be leveraged toassist in addressing these risks. In these situations, the audit work should bebrought into the examination file, reviewed in detail, retested (if deemednecessary), and annotated to indicate the examiner’s conclusion on and use ofthe work performed. In situations where significant reliance is placed on auditwork to address a high risk of the company, examiners should strongly considerretesting at least one item to gain a full understanding of the nature and scopeof testing performed.

17


• Steps for Documenting Reliance on External Audit Testing - Timing Issue Related to Current Year Audit Work Papers– Notify Auditors of Upcoming Exam as Early as Possible

• In all instances, the exam team is encouraged to notify the insurer and itsindependent auditor of an upcoming exam as early in the process as possible.

– Review and Utilize Prior Year Work Papers as Appropriate• Even if current year audit work papers are not available for review during exam

planning, the exam team may and should benefit from obtaining and reviewingthe prior year work papers. These work papers may be reviewed to get anunderstanding of the overall audit approach as required by Exhibit E in Phase 1as well as in Phase 3 control testing of a process that has not changed from theprior year.


• Steps for Documenting Reliance on External Audit Testing - Timing Issue Related to Current Year Audit Work Papers– Discuss any Changes in the Current Year Audit Approach and Conclude

on Planned Reliance• After reviewing prior year work papers to get an understanding of the overall

audit approach and work performed, the exam team may discuss changes in theplanned audit approach for the current year with the independent auditor. If theexam team determines that the audit approach will not change significantly inthe current year and that prior year work was sufficient to reduce a review offinancial reporting risks in certain areas, the exam team may choose to plan forreliance on current year audit work to reduce a review of financial reporting risksin those areas. This would allow the exam team to avoid addressing lesssignificant financial reporting risks expected to be reviewed through the currentyear audit from the examiner’s key activity matrixes.

18


• Steps for Documenting Reliance on External Audit Testing - Timing Issue Related to Current Year Audit Work Papers– Obtain and Review Current Year Work Papers Before Finalizing Exam

• Prior to concluding the examination, the exam team should obtain and reviewthe current year audit work papers to verify that the work performed metexpectations.

• If the work meets expectations, such a conclusion should be appropriatelydocumented in the file.

• If the work performed does not meet expectations, the exam team shouldsupplement the work performed by the independent auditor to address thosefinancial reporting risks originally excluded from the risk matrixes. In thissituation, the insurer should be notified of the deficiency identified in the auditwork papers and the resulting impact on the examination budget.

Utilizing SOC Reports for IT Review

19

Service Organization Control (SOC) Reports

SOC Reports are designed to provide:

– Transparency• By describing how an organization’s systems work to achieve the goals

set to serve it’s customers.

– Operating Results• By delivering an opinion on the fairness of the system and the design

and effectiveness of the controls.

– Third-Party Reliance• By leaving little room for questions by outside auditors and provides

compliance with mandated financial laws and regulations.


SOC Reports may be prepared as a SOC 1, 2 or 3:

– SOC 1 (SSAE 16)• A report that focuses on a service organization’s controls that are likely

to be relevant to an audit of the entity’s internal controls over financialreporting.

– SOC 2• A report that evaluates an organization’s information systems relevant

to security, availability, processing integrity, confidentiality and privacy.

– SOC 3• A report similar to a SOC 2 but does not contain detailed testing

and is meant to be used as marketing material. Rarely used.

20


Trust Services audited as part of a SOC 2:

– Security• Protection against unauthorized access (physical & logical security).

– Availability• Availability for operations and use as agreed or committed.

– Processing Integrity• Processing is complete, accurate, timely and authorized.

– Privacy• PII is collected, used, disclosed and retained as agreed or committed.

– Confidentiality• Confidential information is protected as agreed or committed.


• SOC Reports may be prepared as Type I or II:

– Type I• A Type I report allows the examiner to perform critical risk assessment

procedures and lets you know if you can achieve the related controlobjectives on a specified date. Effectiveness sampling typically consistsof 1 item per control.

– Type II• A Type II report contains all of the same information as a Type I report

but adds design and testing of controls over a period of time (usually 6months) as opposed to a specific date on a Type I report.

21


• SOC Reports: Differentiating between SOC and TYPE.

– SOC 1, 2 and 3• Determines the SCOPE of the report.

• Remember “S” for SOC & Scope.

– Type I and II• Determines the TIMEFRAME of the testing.

• Remember “T” for TYPE and TIMEFRAME.

QUESTIONS

Rachelle Gowins, Assistant Director Financial Exams

[email protected]

Steven Sigler, Director of IT Examination Services

[email protected]

use of cpa workpapers in financial exams learning · pdf file3 independent/external audit...

Documents