Management’s Assertions and the New Risk Assessment SAS’s

November 2006

Let’s continue the discussion we started last month about the new risk assessment SAS’s. I hope you had a chance to review a few of my previous newsletters on risk assessment—if not, please see these old AuditSkills newsletters to develop context for what we are going to talk about this month:

• January 2004: Bite Off Only What You Can Chew
• March 2004: What a Control Model Can Do for You

I mentioned last month that the AICPA has set out a structure for us to develop a risk assessment so that we don’t have to recreate the wheel. Very nice of them.

But there is a flip side to this kindness. You MUST use this model. The AICPA is pretty firm about this in SAS 109 and SAS 106.

Please keep in mind that the focus of this model is on audits of financial statements. Financial statement audits are the bailiwick of the new risk assessment SAS’s. (SAS stands for Statements on Auditing Standards for Financial Audits.)

As you may know, there are more types of audits out there—including performance audits and compliance audits. In my world an audit is an audit is an audit—meaning the core steps of an audit are the same no matter what type you are doing. So, no matter what type of audits you do, I think you can glean something from these new AICPA standards.

What does the SAS model do?

There are basically two steps to doing a risk assessment:

1. break the audit universe down into bite-sized chunks
2. assess risk for each chunk

So, what the new SAS does is tell us how to break the universe into bite-sized chunks. This is a very nice thing for them to do. It starts by breaking the universe—the financial statements—into the components of the financial statements—the line items on the balance sheet, income statement, and statement of cash flows.

These line items aren’t small enough to work with—so it breaks the universe down one step further to the assertions that management makes about each component—for example, that the amounts are accurate and complete. An example will help us…

Let’s pretend…

Let’s pretend we are auditing a World Charity Super Bingo—a bingo hall that gives part of its proceeds to charity, part of its proceeds to pay salaries and expenses of running the hall, and part of the proceeds to the state in taxes and fees. The main ways the bingo hall makes money is by selling bingo cards and by selling snacks.

The first cut is to choose a component of the financial statements. Let’s start with bingo card revenue on the income statement. And that bingo card revenue comes in three ways—from sales at the door, sales at the snack bar, and sales from girls walking around the floor in little chicky-boo costumes. Since the chicky-boo girls are pretty interesting—let’s choose bingo card sales made by these girls as they sashay the hall during games.

Just to make things complicated—the AICPA layers terminology on the components of the financial statements

Instead of leaving us up to our own devices to talk about the components of the financial statements in terms like revenue, expenses, assets, and liabilities, (Heaven forbid that accountants can understand the terminology used by the AICPA!) the AICPA divides the components of the financial statements into three pieces using the following terminology:

• Classes of transactions, which are in essence income statement and cash flow statement components (revenue, expenses, cash flows)

• Account balances, which are balance sheet items (assets, liabilities, and equity or fund balance)

• Disclosures, which are, in essence, the notes to the financial statements

Here is exactly what the AICPA says about these components in the SAS’s. Nowhere in the SAS’s—nowhere— do they ever define what these elements mean. (You have to be in the “know” to have a sense of what each of these areas means… and now you are! )

SAS 109: 104. The auditor should determine whether the identified risks of material misstatements relate to specific relevant assertions related to:

• Classes of transactions
• Account balances
• Disclosures
• The financial statements taken as a whole (and thus potentially affect many relevant assertions—and may derive from a weak control environment)

SAS 106: 19. For each:

• Significant class of transaction
• Account balance
• Presentation and disclosure

Auditor should determine the relevance of each of the financial statement assertions AND the source of likely potential misstatements in each.

I don’t know why they don’t just say, “Consider every line item on the financial statements.” I think auditors just like to make our work appear more complicated than it is.

What the SAS’s say about management’s assertions

Revenues are considered a class of transactions, using AICPA terminology. And now we are ready to take it to the next level of detail—management’s assertions about this component of the financial statements.

Here is what the SAS’s have to say about management’s assertions:

SAS 106: 14. Management is responsible for the fair presentation of financial statements that reflect the nature and operations of the entity. In representing that the financial statements are fairly presented in conformity with GAAP, management implicitly or explicitly makes assertions regarding the recognition, measurement, presentation, and disclosure of information.

And the SAS’s go on to describe management’s assertions broken down by the three component categories of the financial statements:

Classes of transaction assertions:

SAS 106: 15. Assertions about classes of transactions and events for the audit period:

• Occurrence—transactions and events that have been recorded have occurred and pertain to the entity
• Completeness—all transactions and events that should have been recorded have been recorded
• Accuracy—amounts and other data related to recorded transactions and events have been recorded properly
• Cutoff—transactions and events have been recorded in the proper accounting period
• Classification—transactions and events have been recorded in the proper accounts

Account balance assertions:

SAS 106: 15. Assertions about account balances at period end:

• Existence—assets, liability, and equity interest exist
• Rights and obligations—the entity holds or controls the rights to assets and liabilities are the obligations of the entity
• Completeness—all assets, liabilities, and equity interest that should have been recorded have been recorded
• Valuation and allocation—assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded

Presentation and disclosure assertions:

SAS 106: 15. Assertions about presentation and disclosure:

• Occurrence and rights and obligations—disclosed events and transactions have occurred and pertain to the entity
• Completeness—all disclosures that should have been included in the financial statements have been included
• Classification and understandability—financial information is appropriately presented and described and disclosures are clearly expressed
• Accuracy and valuation—financial and other information are disclosed fairly and at appropriate amounts

In Leita-speak, using items from the balance sheet and the income statement as examples, management asserts that:

• The transaction has occurred or that the item exists—for instance, that revenues were indeed collected or that a bingo machine exists.
• That they have rights to the item—This assertion works best with items on the balance sheet. For instance management might assert that it owns a bingo machine. This assertion doesn’t cleanly apply to items on the income statement and cash flow statement.
• That the item is disclosed completely—that all bingo card revenues were disclosed and that all of the liabilities are disclosed.
• The item is accurate and valued correctly—is the amount reported for salary expense accurate? Is the book value of the bingo machine correct?
• The item is allocated to the proper period—also known as cut off. This assertion is particularly important for revenues, expenses, and cash flows to make sure that the amounts are accurate and don’t bring in or leave out any significant transactions occurring at the end of the period.
• Classification and understandability—that bingo card revenue is not mingled with snack bar revenue, that liabilities are properly classified as long- or short-term, and that the notes to the financial statements are understandable.

So, that is your model—you take each component of the financial statements and run it through the relevant management assertions to justify and document why you chose to audit the areas you chose to audit.

A little more detail about those chicky-boos…

For our little example, here is a bit more detail that you learned while gaining an understanding of controls in the bingo hall:

The young chicky-boos who work selling tickets on the floor of the bingo hall collect cash when they sell bingo cards.

The cards are pre-numbered so it would be possible to track to make sure that every ticket was sold. However, when you ask where they keep the cards, the manager tells you that they are in a locked closet in the supply room.

You ask to see the supply room and notice that the cabinet is unlocked and that the cards are in half a dozen messy stacks on various shelves of the cabinet—in no particular order.

You ask the manager if she reconciles cash receipts to the pre-numbered cards used each evening. She said that she used to do that, but that since she has been so busy, she leaves it up to the girls to turn in the cash they collect. She says she trusts the girls to turn in the right amounts and now the cards are so messy—there would be no way for her to clean them up and reconcile past receipts to cards.

You also found out that the majority of their bingo card sales—at the door, on the floor, and in the snack bar—are made with cash. And that cash is collected in the snack bar and for other miscellaneous items as well—like T-shirts and Koozies.

Various employees turn in cash to the manager at the end of the night. The manager prepares the deposit, less any cash she needs to keep on hand, and drops it off at the bank each night. No one verifies her classification of cash receipts.

Looking through the lens of management assertions

So for our item of revenue—on the floor card sales—let’s look at it through the lens of management’s assertions and see where our major risks lie. We rank risk as high, moderate, or low.

Occurrence or existence
A definition of the assertion: Transactions and events that have been recorded have occurred and pertain to the entity.
Our assessment and why: To me it is unlikely that the revenues are over-reported—more that they are probably underreported. Everything that was recorded as revenue probably did occur. I award this assertion a low risk ranking!

Rights and obligations
A definition of the assertion: Management has the right to the asset or equity and an obligation to pay.
Our assessment and why: This assertion isn’t all that relevant to revenues. It usually pertains more to the rights to assets and the obligation to pay liabilities. Either this gets a low or not applicable ranking.

Completeness
A definition of the assertion: All transactions that should have been recorded were recorded.
Our assessment and why: Ah… here is our problem. Using my auditor skepticism, I can imagine the chicky-boos pocketing the cash receipts from the customers and never reporting it—I give this a high ranking.

Accuracy/Valuation/Allocation
A definition of the assertion: Amounts and other data relating to recorded transactions and events have been recorded properly.
Our assessment and why: This one isn’t as sure fire a hit as completeness, but I can see how, since controls are lax, that they may not be doing a very good job recording every night’s receipts. I may want to ask more questions about this one—I am going to give it a moderate for now.

Cut-off
A definition of the assertion: Transactions or events have been recorded in the correct accounting period.
Our assessment and why: I didn’t find out anything in the information gathering phase that made me worry about this. The cash is deposited each night—and there are no long-term relationships—like payables and receivables here to worry about—I am going to give this a low.

Classification
A definition of the assertion: Transactions and events have been recorded in the proper accounts.
Our assessment and why: This one concerns me, because it sounds like the manager can attribute the cash revenues to any account she pleases—and there is nothing to verify that she has classified the revenues correctly. This one deserves more research and I am going to give it a high ranking.

So, for this one item of revenue—I have given two areas a high ranking and thus, they are worthy of our attention: completeness and classification. Allocation and valuation also worries me a bit—I gave it a moderate ranking—so I will probably give it a little more attention, also.

For a risk assessment tool/program that pulls many of the requirements of the new risk assessment SAS’s together—please see Frank Crawford, CPA’s killer model on my website under Resources.

Now, what you might be asking at this point is “How did we find out all of this information about bingo card revenue?” Well, we found it out using risk assessment procedures, which are mandatory per the risk assessment SAS’s. Next month we discuss the mandatory risk assessment procedures.