“I have been ranting and raving to my peers, family and friends about your seminar… you had me on the edge of my seat just absorbing all the information you covered! Anyone that can teach [auditing]… in such a fun, exciting and upbeat way… deserves more than just KUDOS. I am already looking into other seminars you teach.”
 

Home

Seminars & Workshops

Schedule

About

Clients

Newsletter

Store

Resources

Links

Contact
 

SIGN UP FOR OUR
FREE NEWSLETTERS
First Name
Last Name
*  Email Address
*  Preferred Format
 
Mailing Lists:
 
*  Enter security code:

 
AuditSkills Archives
Happy Cash Flow Archives

 

Contact Us
P.O. Box 202138
Austin, Texas 78720

P: 512-996-8588
F: 512-996-8585
Email


View Leita Hart-Fanta's profile on LinkedIn

Gaining an Understanding Is Now Mandatory Per the SASs

March 2007

You have been asked to express an opinion on the financial statements of World Charity Bingo. That sounds doable, since it is such a small operation. However, you have never audited a bingo operation before, so you need to spend a little time gaining an understanding of what you are dealing with.

In the past, the AICPA didn’t have a lot to say about this phase of the audit. But now they do! As you can well imagine, it is pretty impossible to do a risk assessment without having an understanding of what the entity is about… I mean what would you use to support your risk assessment?

SAS 109 takes our already existing standard requiring us to gain an understanding of the entity and its environment and expands on it—in a big way.

SAS 109: 1. The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.

So, since the new standards are requiring a risk assessment, they are requiring you to answer certain questions in the initial stages of your audit.

Required procedures in performing a risk assessment

It is time to do a little digging about what the World Charity Bingo Hall is up to.

The AICPA has laid out required procedures. Most of the requirements are laid out in SAS 109, which is aptly titled “Understanding the Entity and Assessing Risk.” The required procedures are:

SAS 109: 6. The auditor should perform the following risk assessment procedures:

    • Inquiries of management and others within the entity
    • Analytical procedures
    • Observation and inspection

Later, SAS 109:55 requires us to trace transactions through the IT system as part of gaining an understanding:

SAS 109: 55. tracing transactions through the information systems relevant to financial reporting

And SAS 109 goes on to tell us what each risk assessment procedure—inquiry, analytical procedures, and observation and inspection—entails:

Inquiry

Inquiry is where you talk with folks in the know in the organization. Be careful not to rely solely on inquiry in your risk assessment procedures. Sometimes the folks you are talking to haven’t a clue about how things really work.

SAS 109: 6 - INQUIRIES—much can be obtained by management and those responsible for financial reporting, inquires of others may be useful:

    • Those charged with governance
    • Internal auditors
    • Employees involved in initiating, authorizing, processing, or recording complex or unusual transactions
    • In-house legal counsel
    • Marketing, sales, or production personnel

Analytical procedures

Analytical procedures are where you manipulate data to spot trends or unusual things. The SAS reminds us to start out by setting expectations about what should exist and then see if that is really what is happening.

SAS 109: 9: ANALYTICAL PROCEDURES—identify the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have financial statement and audit implications. In using analytical procedures, auditors should develop plausible expectations about what should exist and then compare to reality.

Observations and Inspections

This is why auditing will be hard to outsource to India, because some of your best evidence comes from actually watching what is going on. It is too expensive to fly folks over from India to do an observation. THANK YOU!

SAS 109: 10: OBSERVATIONS AND INSPECTIONS—support inquiries... and include:

    • Observation of entity activities and operations
    • Inspection of documents (business plans and strategies), records, and internal control manuals
    • Reading reports prepared by management, those charged with governance, and internal audit
    • Visits to the entity’s premises or plant facilities
    • Tracing transactions through the information system relevant to financial reporting which may be performed as part of a walk-through

5 Areas to Gain an Understanding of

And, true to the intent of this new suite of risk assessment SASs—which is to hold our hand throughout the whole process of risk assessment—to prevent us from just doing a few simple inquiries and going with our gut feel on where to audit—SAS 109 spells out 5 areas that you must gain an understanding of.

Nothing here is illogical, but it is relatively humorous that they aren’t leaving much up to chance, or to our auditor judgment.

Here are the five areas you need to gain an understanding of:

  1. What is going on in the entity’s industry and environment
  2. What is the nature of the entity
  3. What are the objectives and strategies of the entity
  4. How the entity measures and reviews performance
  5. What internal controls exist

SAS 109: 21. The auditor’s understanding of the entity and its environment consists of an understanding of the following aspects:

    • Industry, regulatory, and other external factors
    • Nature of the entity
    • Objectives and strategies and the related business risks
    • Measurement and review of the entity’s financial performance
    • Internal control, which includes the selection and application of accounting policies

And here is more information on each of these 5 areas:

#1 – Industry, regulatory…

SAS 109: 24. Industry, regulatory, and other external factors include:

    • Competitive environment
    • Supplier and customer relationships
    • Technological developments
    • The regulatory environment
    • Accounting pronouncements
    • Legal and political environment
    • Environmental requirements
    • General economic conditions

#2 – Nature of the Entity

SAS 109: 25. Nature of the entity includes the:

    • Entity’s ownership (including related party transactions)
    • Entity’s operations
    • Entity’s governance
    • Types of investments it is making and plans to make
    • Way the entity is structured
    • How it is financed

#3 – Objectives, Strategies, Business Risks

SAS 109: 29. Objectives and Strategies and Related Business Risks

    • Objectives = overall plans for the entity
    • Strategies = operational approaches to achieve objectives
    • Business risk = results from conditions, events, circumstances, actions, or inactions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies or the setting of inappropriate objectives and strategies. Business risk is broader than the risk of material misstatement although it includes the latter.

#4 – Measurement of Financial Performance

SAS 109: 34. Measurement and Review of the Entity’s Financial Performance—performance measures create pressures on the entity that may in turn motivate management to take action to improve business performance or misstate the financial statements
Internally generated information includes:

    • Budgets
    • Variance analysis
    • Subsidiary information
    • Divisional, departmental, or other performance reports
    • Comparisons with competitors

Externally generated information includes:

    • Analysts reports
    • Credit rating agency reports

#5 – Internal Controls

SAS 109: 40. Internal control = the auditor should obtain an understanding about the five components of internal control sufficient to assess the risk of material misstatement of the financial statements…and to design the nature, timing, and extent of further audit procedures. Should obtain a sufficient understanding by performing risk assessment procedures to evaluate the design of controls relevant to an audit of financial statements and to determine whether they have been implemented.

I think that is enough for now. Next month—we will discuss the mandatory meeting you must conduct with your audit staff to discuss what you found.

NASBA Certified

  © 2000 to 2010 Leita Hart-Fanta. All rights reserved. | Privacy Policy