Detailed Information on the SAS
104-111 AND what it means to the
audit profession

                Maryland Association of...
What, Why, How

     What they are, what they mean
     Why we have them
     How we implement them

     Warnings




2  ...
I’m up to my *&?! In SASs


       104 “Due Professional Care”             Effective Dates:
       105 Amendment to SAS 95...
Risk Assessment Standards

      Enhances the auditor’s application of the
      audit risk model:
                 AR = [...
Why? (Enron, Worldcom, etc.)

          Improve implementation of the Audit Risk Model
      –
            Better understa...
Lynford Graham, CPA, PhD, CFE, August
    2007 Interview California CPA

     As a former member of the AICPA’s Auditing
 ...
The following are key points regarding the goals and
    objectives of having these new standards:


      Concerns that a...
Lynford Graham

     The trend towards increased reliance
     upon the seemingly improved and
     automated systems (esp...
Lynford Graham

     The standards mostly clarify the intent of
     existing standards.




9                            ...
Lynford Graham

      There are only a few “new” concepts such
      as the identification of “significant risks”
      fo...
Lynford Graham

      The requirement to assess internal controls
      design and implementation, while not a new
      c...
Lynford Graham

      Concerns are out there that this is a
      Sarbanes approach, which it is not. SAS
      No. 78 put...
Lynford Graham

      The controls (evaluation) requirements
      can be limited to the most significant
      control ac...
SAS 112 Told us about material misstatements, these
     will tell us how to identify better


      Require a more in-dep...
Quick Review

      As we review, think about how these new
      pronouncements differ from the old
      requirements. A...
SAS 104

       Amendment to SAS No. 1 regarding DUE
       PROFESSIONAL CARE
       KEY CHANGE --> term quot;reasonable
 ...
SAS 105

       Second Standard of Fieldwork
          Expands the scope from quot;internal controlquot; to quot;the entit...
Sas 105

      Third standard of Fieldwork
          Replaces quot;sufficientquot; with quot;appropriatequot; audit
      ...
SAS 106

       Audit Evidence - defines the term and provides
       guidance on its reliability
       Defines Relevant ...
SAS 106

      Tests of Controls necessary in two
      circumstances:
          When auditor's Risk Assessment includes a...
SAS 106

      Describes how we assess risks related to Assertions
      & how we design responsive audit procedures.
    ...
SAS 106

          When information produced by the entity is used,
      –
          the auditor should obtain audit evid...
SAS 107

       Audit Risk & Materiality in Conducting an
       Audit
       Auditor must determine Materiality during
  ...
SAS 107

      Determination of materiality in the planning stage is
      a starting point --> from there, use profession...
SAS 107


        Assess risk at each transaction level and each procedure
        Assessed risks and the basis for those
...
SAS 107 Documentation Should


      Enable an experienced auditor with no previous
      connection to the audit to under...
SAS 108

     SAS No. 108, Planning and Supervision
     (Amends SAS 1 and SAS 22) (No major changes)


       “The audito...
SAS No. 109, Assessing Risks


      “The auditor must obtain a sufficient
      understanding of the entity and its
     ...
SAS 109 Says

  Understanding the Entity & its Environment & Assessing
  the Risks of Material Misstatement
  **Absolutely...
SAS 109

      When assessing risk, we should consider more
      input:
          Inquiries of management, legal counsel,...
SAS 110

       Auditors now REQUIRED to provide a
       CLEAR LINK between:
       Understanding the Entity (and its
   ...
SAS 110


      Timing
       – Auditors may perform procedures at an interim
         period date. (Big deal, cost saving...
SAS 110

     SAS No. 110, Performing Procedures (continued)
       Test of Controls may be rotated
        – The auditor ...
SAS 111

           SAS No. 111 provides enhanced guidance on
      tolerable misstatement. In general, tolerable
      mi...
What We (Auditors) Have To Do
     (How)

      Assess strength of design of controls?
          Will they work?
      –
 ...
New Approach

      PPC Smart E Practice Aids
      Walk-thru the business processes and
      related controls to assess ...
Clients

      8 weeks out, we will send you questionnaires
      to tell us how your processes work and how
      your re...
Details of Your Controls (still the
     client)

      How transactions are initiated and authorized
      How they flow ...
Auditor

      Audit team member will take your information and
      complete a detailed worksheet to identify control ri...
Auditors

      We assign a level of risk for each key area of
      financial statement, high/medium/low
      Generate (...
Team Meeting

      Audit team meets to review results of risk
      assessment and discuss key financial
      statement ...
Walkthrough

      We have to evaluate controls to the same
      standards that we evaluate other audit
      evidence.
 ...
Evaluate the Risk

      Do controls exist?
      Are they satisfactory?
           Design deficiency
       –

      Are ...
Increase audit work and risk

           More management letter points
       –
           Quicker to significant deficien...
Take Control - Make Your Audit Easier

      Make less journal entries - Audit standards
      require that we review jour...
Take Control - Make Your Audit Easier

      Be ready for us - Make sure your auditor
      has provided you with a long C...
Take Control - Make Your Audit Easier

      Be consistent and predictable - We like ordinary
      and boring. If you hav...
Take Control - Make Your Audit Easier

      Support, Support, Support - Every
      transaction requires support. Checks,...
Take Control - Make Your Audit Easier

      Document your approval processes and
      follow them - If a disbursement re...
Take Control - Make Your Audit Easier

      Don't turn the audit engagement into an
      accounting engagement. Get the ...
Take Control - Make Your Audit Easier

      Insist on consistency from your audit
      team. Ask ahead of time, who will...
Risk Assessment Standards

     To gain some insight on the need for, and
       utilization of, these standards, Californ...
Lynford Graham, Ph.D CPA, CFE


     As a former member of the AICPA's Auditing Standards
       Board and Risk Assessment...
Question


     What were the goals and objectives
      of the ASB and Risk Assessment
      Standards Task Force?




54...
Answer

     A: The ASB, in coordination with the International Audit
        and Attest Standards Board, undertook a join...
Answer (cont)

     There were also concerns that, in some cases,
       too little audit work was being done to
       id...
Answer (cont)

     Auditors of major entities were becoming more
       reliant on the seemingly improved and
       auto...
Why Now?

     The disastrous events and audit failures in early 2000
       that lead to the Sarbanes-Oxley Act of 2002 a...
Q: How revolutionary are these
     standards?

      A: Tough question. Much of the answer
      depends on what you have...
Answer (cont) How revolutionary are
     these standards?

      The standards mostly clarify the intent of existing
     ...
Answer (cont) How revolutionary are
     these standards?

      There are only a few quot;newquot; concepts, such as the
...
Where are firms struggling with
     implementation?

     A: The requirement to assess internal controls
       design an...
Where are firms struggling with
     implementation?

     Clarifying this requirement creates a need for
       broad und...
Where are firms struggling with
     implementation?

     Concerns are out there that this is a Sarbanes
      approach, ...
Where are firms struggling with
     implementation?

     In addition, the controls requirements can be
       limited to...
Where are firms struggling with
     implementation?

     Reporting material weaknesses and significant
       deficienci...
Additional Parts of Graham Interview

     audits of smaller entities are not supposed to
       be a second-class service...
Why so much focus on risk
     assessment?

     A 2006 Certified Fraud Examiners survey
       revealed the median size o...
Guidance for the nonprofit

     Graham has a book coming out, Internal
       Controls: Guidance for Private, Government
...
What do CPAs need to understand
     most clearly about the standards?

      Many of the new requirements will require a
...
Upcoming SlideShare
Loading in...5
×

Sas 104 111 Impact On Auditors

2,547

Published on

Detailed Information on the SAS
104-111 AND what it means to the
audit profession

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,547
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Sas 104 111 Impact On Auditors "

  1. 1. Detailed Information on the SAS 104-111 AND what it means to the audit profession Maryland Association of Nonprofits June 11, 2008
  2. 2. What, Why, How What they are, what they mean Why we have them How we implement them Warnings 2 www.metrometro.com
  3. 3. I’m up to my *&?! In SASs 104 “Due Professional Care” Effective Dates: 105 Amendment to SAS 95, GAAS 104-111 Effective for audits of F/S for periods beginning on 106 Audit Evidence or after 12-15-06. 107 Audit Risk and Materiality 108 Planning and Supervision 109 Understanding the Entity and its environment and assessing the risks of Material Misstatement 110 Performing Audit Procedures in response to assessed risks and evaluating the audit evidence obtained 111 Amendment to SAS 39, Audit Sampling 3 www.metrometro.com
  4. 4. Risk Assessment Standards Enhances the auditor’s application of the audit risk model: AR = [CR x IR] x DR [CR x IR] = RMM AR = Audit Risk CR = Control Risk IR = Inherent Risk DR =Detection Risk RMM = risk of material misstatement 4 www.metrometro.com
  5. 5. Why? (Enron, Worldcom, etc.) Improve implementation of the Audit Risk Model – Better understanding of internal controls Better assessment of the Risk of Material Misstatement (RMM) Determine audit procedures based on the response to RMM Improve the quality and consistency of Audits Help auditors discover fraud – even though we are not engaged to discover fraud 5 www.metrometro.com
  6. 6. Lynford Graham, CPA, PhD, CFE, August 2007 Interview California CPA As a former member of the AICPA’s Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. http://goliath.ecnext.com/coms2/gi_0199- 6920795/Audit-awareness-SAS-Nos-104.html 6 www.metrometro.com
  7. 7. The following are key points regarding the goals and objectives of having these new standards: Concerns that audits were becoming increasingly risk-based (a good thing), but that there was a lack of guidance on how to go about the risk assessment process (not a good thing). 7 www.metrometro.com
  8. 8. Lynford Graham The trend towards increased reliance upon the seemingly improved and automated systems (especially for larger entities) and the internal audit resources of these entities (large entities, not relevant for small businesses). 8 www.metrometro.com
  9. 9. Lynford Graham The standards mostly clarify the intent of existing standards. 9 www.metrometro.com
  10. 10. Lynford Graham There are only a few “new” concepts such as the identification of “significant risks” for audit engagements. 10 www.metrometro.com
  11. 11. Lynford Graham The requirement to assess internal controls design and implementation, while not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned. Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious quot;holesquot; in the internal controls of an entity. 11 www.metrometro.com
  12. 12. Lynford Graham Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The quot;suitequot; requirement is only to assess the design (and implementation) of controls. 12 www.metrometro.com
  13. 13. Lynford Graham The controls (evaluation) requirements can be limited to the most significant control activity processes, like sales, major cost processes and payroll, and maybe the consolidation and closing process. 13 www.metrometro.com
  14. 14. SAS 112 Told us about material misstatements, these will tell us how to identify better Require a more in-depth understanding of the entity and its environment, including its internal control. More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the financial statements. A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks. (The How, stay tuned) 14 www.metrometro.com
  15. 15. Quick Review As we review, think about how these new pronouncements differ from the old requirements. Are they really that different? 15 www.metrometro.com
  16. 16. SAS 104 Amendment to SAS No. 1 regarding DUE PROFESSIONAL CARE KEY CHANGE --> term quot;reasonable assurancequot; is now quot;high level of assurancequot; However, still expressed in auditor's report as quot;reasonable assurancequot; 16 www.metrometro.com
  17. 17. SAS 105 Second Standard of Fieldwork Expands the scope from quot;internal controlquot; to quot;the entity – and its environment, including its internal controlquot; Extends its purpose from quot;planning the auditquot; to – quot;assessing the risk of material misstatement of the financial statements whether due to error or fraudquot; Finally, quot;further audit proceduresquot; replaces quot;tests to be – performedquot; to recognize that audit procedures also performed to obtain understanding of risks. 17 www.metrometro.com
  18. 18. Sas 105 Third standard of Fieldwork Replaces quot;sufficientquot; with quot;appropriatequot; audit – evidence Replaces quot;evidential matterquot; with quot;audit evidence – 18 www.metrometro.com
  19. 19. SAS 106 Audit Evidence - defines the term and provides guidance on its reliability Defines Relevant Assertions and discusses their use in assessing risks & designing appropriate further audit procedures. Higher evidentiary standard - replacement of quot;competentquot; with quot; appropriatequot; evidence Biggest change --> Inquiry alone is not sufficient to determine whether a control has been implemented - now requires observation in conjunction with inquiry at a minimum. 19 www.metrometro.com
  20. 20. SAS 106 Tests of Controls necessary in two circumstances: When auditor's Risk Assessment includes an – expectation of the operating effectiveness of controls When Substantive Procedures alone do not – provide sufficient appropriate audit evidence (auditor should obtain audit evidence about the operating effectiveness of controls 20 www.metrometro.com
  21. 21. SAS 106 Describes how we assess risks related to Assertions & how we design responsive audit procedures. Sufficient Appropriate Audit Evidence Sufficiency is the measure of the quantity of audit evidence Appropriateness is the measure of quality of audit evidence, further defined by: its relevance and its reliability in providing support for, or detecting misstatements in, The Classes of Transactions, Account Balances, and Disclosures and Related Assertions. The auditor should consider the sufficiency and appropriateness of audit evidence when assessing risks and designing further audit procedures. 21 www.metrometro.com
  22. 22. SAS 106 When information produced by the entity is used, – the auditor should obtain audit evidence about the accuracy and completeness of the information. 22 www.metrometro.com
  23. 23. SAS 107 Audit Risk & Materiality in Conducting an Audit Auditor must determine Materiality during planning stage Materiality set based on auditor's perception of the perspective of a reasonable user of the financial statements. 23 www.metrometro.com
  24. 24. SAS 107 Determination of materiality in the planning stage is a starting point --> from there, use professional judgment to modify as facts and circumstances are discovered or change during the audit. Auditor must assess risk: Inherent Risk (no controls) – Control Risk (control will fail) – Combined Risk – KEY CHANGE - No longer permissible for auditor to default to a max control risk 24 www.metrometro.com
  25. 25. SAS 107 Assess risk at each transaction level and each procedure Assessed risks and the basis for those assessments should be documented 25 www.metrometro.com
  26. 26. SAS 107 Documentation Should Enable an experienced auditor with no previous connection to the audit to understand: Nature, timing, and extent of procedures performed – Results of procedures and evidence obtained – Conclusion on significant matters – Accounting records agree or reconcile to financial – statements Include identifying characteristics! Document everything that is done! 26 www.metrometro.com
  27. 27. SAS 108 SAS No. 108, Planning and Supervision (Amends SAS 1 and SAS 22) (No major changes) “The auditor must adequately plan the work and must properly supervise any assistants.” 27 www.metrometro.com
  28. 28. SAS No. 109, Assessing Risks “The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.” 28 www.metrometro.com
  29. 29. SAS 109 Says Understanding the Entity & its Environment & Assessing the Risks of Material Misstatement **Absolutely REQUIRED Auditor required to determine that controls ARE implemented Do not need to TEST controls, but must understand that the designed controls being evaluated are in fact part of the entity's processes. Performance of a quot;walkthruquot; of a client's key controls and – documentation thereof will be important for evidencing the auditor's assessment and understanding of a client's internal controls and in allowing the auditor to assess the appropriate level of Control Risk
  30. 30. SAS 109 When assessing risk, we should consider more input: Inquiries of management, legal counsel, bankers, etc. – Employees, managers, etc. – Visits to premises – Objectives and strategies of the managers and owners – 30 www.metrometro.com
  31. 31. SAS 110 Auditors now REQUIRED to provide a CLEAR LINK between: Understanding the Entity (and its Environment, including Internal Controls) How the risk was assessed The design of the tailored procedures 31 www.metrometro.com
  32. 32. SAS 110 Timing – Auditors may perform procedures at an interim period date. (Big deal, cost savings opportunity) 32 www.metrometro.com
  33. 33. SAS 110 SAS No. 110, Performing Procedures (continued) Test of Controls may be rotated – The auditor should test the operating effectiveness of controls at least every three years in an annual audit – The auditor should update his or her understanding to ensure controls have not changed – If the auditor plans to rely on control that have changed, the auditor should test the controls 33 www.metrometro.com
  34. 34. SAS 111 SAS No. 111 provides enhanced guidance on tolerable misstatement. In general, tolerable misstatement in an account should be less than materiality to allow for aggregation in final assessment. Ordinarily sample sizes for non-statistical samples are comparable to sample sizes for an efficient and effectively designed statistical sample with the same sampling parameters. 34 www.metrometro.com
  35. 35. What We (Auditors) Have To Do (How) Assess strength of design of controls? Will they work? – Should they work? – Determine if the controls are operating? Do they work – 35 www.metrometro.com
  36. 36. New Approach PPC Smart E Practice Aids Walk-thru the business processes and related controls to assess risk Number of transactions – Materiality of account balance – Develop audit programs accordingly 36 www.metrometro.com
  37. 37. Clients 8 weeks out, we will send you questionnaires to tell us how your processes work and how your related internal controls are designed. Visit twice, once for information gathering for risk assessment, then once for fieldwork. Spread your work out, this is a good thing. Can we do the walkthrough at the planning visit? Some, at least. 37 www.metrometro.com
  38. 38. Details of Your Controls (still the client) How transactions are initiated and authorized How they flow through the accounting system How outside records are reconciled to the transactions and end up on the financial statements 38 www.metrometro.com
  39. 39. Auditor Audit team member will take your information and complete a detailed worksheet to identify control risk areas – risks of material misstatements Poor segregation of duties – Pressure on management to make numbers (misstatement – of revenue always a risk) Staff turnover and other changes – We will interview other client employees as part of our – information gathering. What do they know, what have they heard? 39 www.metrometro.com
  40. 40. Auditors We assign a level of risk for each key area of financial statement, high/medium/low Generate (PPC Smart E Practice Aids) one of three audit programs in that area: Limited – primarily analytical review plus some – other procedures Basic – some testing of account balances plus – other procedures Extended – everything for higher risk areas – 40 www.metrometro.com
  41. 41. Team Meeting Audit team meets to review results of risk assessment and discuss key financial statement areas 41 www.metrometro.com
  42. 42. Walkthrough We have to evaluate controls to the same standards that we evaluate other audit evidence. Need to know more about the processes and related controls Pick a process, walk through the system, evaluate the risk 42 www.metrometro.com
  43. 43. Evaluate the Risk Do controls exist? Are they satisfactory? Design deficiency – Are they working properly? Operating deficiency – 43 www.metrometro.com
  44. 44. Increase audit work and risk More management letter points – Quicker to significant deficiency and material – weakness (SAS 112) Expect 15-25% more time on the audit – Involve your clients, it’s a different audit now, you – can’t do it all by yourself Possibly create control specialists to do the risk – assessment 44 www.metrometro.com
  45. 45. Take Control - Make Your Audit Easier Make less journal entries - Audit standards require that we review journal entries for unusual activities. The more entries, the longer the audit takes. You can cut down on journal entries by recording bank charges, debits and manual checks as you would any other cash disbursement. Record bank account interest earned like you would a deposit. 45 www.metrometro.com
  46. 46. Take Control - Make Your Audit Easier Be ready for us - Make sure your auditor has provided you with a long Client Assistance List (CAL) or PBC (Provided by Client) list. The longer the better so that you can do the work at your schedule instead of scurrying during the audit fieldwork. Number the list and have a folder, notebook tab, or pile for each number. Impress the auditor, be organized, that's what we're looking for. 46 www.metrometro.com
  47. 47. Take Control - Make Your Audit Easier Be consistent and predictable - We like ordinary and boring. If you have a group of month end journal entries for depreciation, accrued payroll, etc., make them all on one entry that looks the same each month. Keep entries as ordinary and routine as possible. Record deposits the same. Record invoices the same. Make the transactions as easily identifiable as possible. 47 www.metrometro.com
  48. 48. Take Control - Make Your Audit Easier Support, Support, Support - Every transaction requires support. Checks, deposits, journal entries. Be consistent by including the same support on each type of transaction. Make sure every transaction has the required approvals. 48 www.metrometro.com
  49. 49. Take Control - Make Your Audit Easier Document your approval processes and follow them - If a disbursement requires a board signature, make sure it has a board signature. Make sure your approval processes will pass the auditor's tests. 49 www.metrometro.com
  50. 50. Take Control - Make Your Audit Easier Don't turn the audit engagement into an accounting engagement. Get the accounting work done first. Post accruals, depreciation, make sure everything ties in, etc. We don't want to do accounting work at the audit. Auditors like to tick and tie to get comfort that the numbers are right. Every time we have to make an entry, you lose credibility and it takes longer for us to get comfortable. Your auditors don't have to be your accountants, you can hire an accountant to do a monthly or quarterly review so that you'll be more prepared for your audit. 50 www.metrometro.com
  51. 51. Take Control - Make Your Audit Easier Insist on consistency from your audit team. Ask ahead of time, who will be coming. Are they the same auditors as last year? If not, push back a little bit. The more consistency, the less learning curve and the less interruptions. 51 www.metrometro.com
  52. 52. Risk Assessment Standards To gain some insight on the need for, and utilization of, these standards, California CPA recently interviewed CPA Lynford Graham, Ph.D., CFE. 52 www.metrometro.com
  53. 53. Lynford Graham, Ph.D CPA, CFE As a former member of the AICPA's Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. A frequent lecturer on the subject nationwide, Graham also is the author of a handbook on documenting internal controls for non-public companies. 53 www.metrometro.com
  54. 54. Question What were the goals and objectives of the ASB and Risk Assessment Standards Task Force? 54 www.metrometro.com
  55. 55. Answer A: The ASB, in coordination with the International Audit and Attest Standards Board, undertook a joint project in the latter 1990s to clarify many of the core auditing standards and advance more guidance on the role and performance of risk assessment. This was in response to concerns that audits were becoming increasingly risk-based, but there was a lack of guidance on how to go about the risk assessment process. 55 www.metrometro.com
  56. 56. Answer (cont) There were also concerns that, in some cases, too little audit work was being done to identify and correct any errors that might exist in the pre-audit financial statement records. Graham 56 www.metrometro.com
  57. 57. Answer (cont) Auditors of major entities were becoming more reliant on the seemingly improved and automated systems, and internal audit resources of these entities. Graham 57 www.metrometro.com
  58. 58. Why Now? The disastrous events and audit failures in early 2000 that lead to the Sarbanes-Oxley Act of 2002 are evidence that the project was on target, but that it was too late to avoid the events of Enron, WorldCom and the litany of business and audit failures in that time period. Graham 58 www.metrometro.com
  59. 59. Q: How revolutionary are these standards? A: Tough question. Much of the answer depends on what you have been doing in your audits all along. Graham 59 www.metrometro.com
  60. 60. Answer (cont) How revolutionary are these standards? The standards mostly clarify the intent of existing standards. Many firms have been successfully using the concepts in these new standards for a long time. For example, using audit assertions as an integral part of the audit planning and performance of the audit is not new. Neither is the assessment of controls as part of understanding the audited entity. That requirement extends to before SAS No. 55. Graham 60 www.metrometro.com
  61. 61. Answer (cont) How revolutionary are these standards? There are only a few quot;newquot; concepts, such as the identification of quot;significant risksquot; for audit engagements, which was not part of the auditing literature before, but were still practices of some firms before SAS No. 109. In any case, the extent of change these standards will bring will differ from firm to firm. Graham 61 www.metrometro.com
  62. 62. Where are firms struggling with implementation? A: The requirement to assess internal controls design and implementation for audit clients seems to be giving some firms consternation. While not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned 62 www.metrometro.com
  63. 63. Where are firms struggling with implementation? Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious quot;holesquot; in the internal controls of an entity. 63 www.metrometro.com
  64. 64. Where are firms struggling with implementation? Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The quot;suitequot; requirement is only to assess the design of controls and there is no requirement to test them. 64 www.metrometro.com
  65. 65. Where are firms struggling with implementation? In addition, the controls requirements can be limited to the most significant control activity processes, like sales, major cost processes and payroll, and maybe the consolidation and closing process. SOX requirements are much more extensive and require controls testing. 65 www.metrometro.com
  66. 66. Where are firms struggling with implementation? Reporting material weaknesses and significant deficiencies in controls, in writing, to the governance group is also an area of attention and concern. While not officially in the suite, SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, works with SAS No. 109 to ensure internal control matters are identified and communicated. 66 www.metrometro.com
  67. 67. Additional Parts of Graham Interview audits of smaller entities are not supposed to be a second-class service compared with audits of larger entities. By clarifying the standards, all firms will compete on an equal footing, and not by re-defining what constitutes an audit under Generally Accepted Auditing Standards. 67 www.metrometro.com
  68. 68. Why so much focus on risk assessment? A 2006 Certified Fraud Examiners survey revealed the median size of reported fraud in entities of less than 100 employees is $190,000. How many businesses of that size can withstand losing that amount of money and survive? 68 www.metrometro.com
  69. 69. Guidance for the nonprofit Graham has a book coming out, Internal Controls: Guidance for Private, Government and Nonprofit Entities, which helps companies understand how to document their controls and helps to bridge the auditor- client issues in controls assessment and testing. 69 www.metrometro.com
  70. 70. What do CPAs need to understand most clearly about the standards? Many of the new requirements will require a real first-year effort to get up and running. The maintenance in year two, and beyond, of well-implemented changes will not be that hard or expensive. Graham 70 www.metrometro.com

×