GAAS

GAAS
UPDATE SERVICE
Volume 07, Issue 15 August 15, 2007

Practice Issues and Questions & Answers

Relating to Statement on Auditing Standards
No. 109, Understanding the Entity and Its
Environment and Assessing the Risks of
Material Misstatement

Summary & Highlights

With the release of Statements on Auditing Standards (SAS) Nos. 104 through
111 (collectively referred to as the “Risk Assessment Standards”), significant
changes are expected to result to existing audit practice. The Risk Assessment
Standards are effective for audits of financial statements for periods beginning
on or after December 15, 2006. One of the Risk Assessment Standards, SAS No.
109, Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement (SAS-109), requires the auditor, among other matters, to: (1) per-
form risk assessment procedures to obtain an understanding of the entity and its
environment, including its internal control; (2) discuss the susceptibility of the
entity’s financial statements to material misstatements with members of the audit
team; (3) determine whether changes have occurred to information obtained in
prior periods, such as internal control and risk assessments, which would affect its
relevance to the current audit if the auditor plans to rely on that information; and
(4) identify and assess the risks of material misstatement at the financial statement
level and at the relevant assertion levels for classes of transactions, account bal-
ances, and disclosures.
SAS-109 was covered in detail in the August 30, 2006, September 15, 2006,
and September 30, 2006 GAAS Update Service. This GAAS Update Service focuses
on practical issues relating to SAS-109 by using a “Question & Answer” format
designed to provide practical discussion, advice, and specific implementation
guidance.
 Analysis & Explanation
Question 1: Besides making inquiries of management, to whom within the
entity might the auditor direct his or her inquiries when performing risk assess-
ment procedures?

Answer: Deciding to whom, besides management, inquiries should be directed

and the exact nature and extent of those inquiries is a matter of the auditor’s pro-
fessional judgment. However, other persons within the entity to whom inquiries
might be directed generally include:

• Persons charged with governance, such as the audit committee or the board of
directors, to gain an understanding of the environment in which the financial
statements are prepared.
• Internal auditors, to obtain information about: (1) their activities concern-
ing the design and effectiveness of internal control; and (2) management’s
responses to internal audit findings.
• Operating personnel who are not directly involved in financial reporting,
such as marketing, sales, or production personnel, to obtain information about
changes in the entity’s strategies and trends or in its contractual relationships.
• Employees involved in initiating, authorizing, recording, or processing unusual
or complex transactions, to assist the auditor in evaluating the appropriateness
of the accounting policies used.
• In-house legal counsel, to acquire information about matters, such as contracts,
compliance with laws and regulations, fraud, litigation, warranties, and post-
sale obligations.

Question 2: What is the objective of the engagement team’s discussion of the

susceptibility of the financial statements to material misstatements?

Answer: The discussion among the audit team of the susceptibility of

the financial statements to material misstatements is intended to accomplish the
following:

• Help the audit team gain a better understanding of the potential for material
misstatement due to fraud or error;
• Help audit team members understand how the results of the audit procedures
they perform may affect other audit areas;
• Give more experienced team members an opportunity to share their knowledge
about the entity; and
• Enable team members to exchange information about the entity’s business risk
and the susceptibility of the financial statements to material misstatement.

Question 3: What are some of the critical issues that should be covered in the
engagement team’s discussion of the susceptibility of the financial statements to
material misstatements?

Answer: The discussion among the audit team of the susceptibility of the finan-
cial statements to material misstatements should cover critical issues, such as:

• Areas of significant audit risk;

• Areas susceptible to management override of controls;
• Unusual accounting procedures used;

2 © 2007 CCH. All Rights Reserved.

• Significant control systems;
• Materiality at the financial statement and account levels;
• The effect of materiality on the scope of testing;
• The entity’s application of generally accepted accounting principles (GAAP);
• The risk of material misstatement due to fraud;
• Fraud risk factors;
• Audit responses to assessed fraud risks; and
• The need to: (1) perform the audit with an attitude of professional skepticism;
(2) be alert for and follow up on indications of material misstatements; and
(3) exercise professional judgment.

Question 4: Is the auditor required to consider and understand all controls that
exist within an entity?

Answer: No. Generally, controls that are relevant to an audit pertain to the
entity’s objective of preparing its financial statements that are fairly presented in
conformity with GAAP or an other comprehensive basis of accounting. Entities
typically have additional controls that are not necessarily relevant to an audit
and, therefore, need not be considered. Examples include controls relating to the
effectiveness, economy, and efficiency of certain management decision-making
processes, such as whether to make expenditures for certain research and develop-
ment or advertising activities.
Also, although internal control is relevant to the entire entity or to any of its
operating units or business functions, an understanding of internal control rel-
evant to each of the entity’s operating units and business functions may not be
necessary.
Generally speaking, a financial audit would concentrate primarily on the
controls over financial reporting because these are the controls that are the
most likely to be meaningful to the audit. It may be helpful, however, to assess
controls in other areas that are relevant to the audit work, such as the devel-
opment of production statistics to be used in analytical procedures. Controls
over compliance with laws and regulations, such as employment practices and
occupational health and safety, although important to the company, ordinarily
do not have a direct effect on the financial statements and therefore need not
be assessed.

Question 5: What are the primary reasons for the auditor’s required under-
standing of any internal control system?

Answer: The auditor’s understanding of any internal control system must, at a

minimum, accomplish the following:

• Determine whether the entity is auditable (i.e., the auditor must obtain infor-
mation about the integrity of management and the nature and extent of the
entity’s accounting records to be satisfied that sufficient competent evidence is
available to support the financial statements);
• Identify the types of potential misstatements, whether caused by error or by
fraud, that could occur in the financial statements;
• Consider factors that affect the risk that material misstatements will occur;
• Design tests of controls, when applicable; and
• Design substantive tests (i.e., the information obtained should allow the audi-
tor to design effective tests of financial statement balances, including tests of
details of transactions and balances, and analytical procedures).

© 2007 CCH. All Rights Reserved. 3

 Question 6: What factors should the auditor consider when evaluating the
effectiveness of the board of directors or the audit committee?

Answer: An entity’s control consciousness is influenced significantly by the

entity’s board of directors and the audit committee. Factors that the auditor should
consider that affect the effectiveness of the board of directors or the audit commit-
tee include the following:

• Its independence from management.

• The experience and stature of its members.
• The extent of its involvement and scrutiny of activities.
• The appropriateness of its actions.
• The degree to which difficult questions are raised and pursued with management.
• Its interaction with internal and external auditors.

Question 7: What are some signals that typically should increase the auditor’s
concern about the effectiveness of an entity’s control environment?

Answer: The following are some signals that generally should increase the
auditor’s concern about the effectiveness of an entity’s control environment:

• High turnover in management positions, particularly financial management;

• Managerial talent and qualifications not commensurate with the growth of the
business;
• Increased dependence on computer processing for decision-making purposes,
but without adequate knowledge of computer operations;
• Diversified activities, each with its own accounting system;
• Decentralized operations and record-keeping with a centralized management;
and
• Inadequate internal audit function.

Question 8: Should the auditor’s understanding of an entity’s financial report-

ing information system include the accounting system maintained by the service
organization?

Answer: Yes. Many entities use service organizations (e.g., banks, brokerage
firms, or electronic data processing service centers) to perform some or all of their
data processing. Entities that process certain transactions in-house have complete
control and responsibility for that function. On the other hand, entities that use
service organizations generally lose a certain degree of control over the portion of
their financial reporting information system maintained by the service organiza-
tion. They generally have limited ability and authority to define or enforce control
activities to be adopted or followed by the service organization.
Therefore, the auditor’s understanding of an entity’s financial reporting infor-
mation system should include the accounting system maintained by the service
organization.

Question 9: What are some of the procedures that the auditor can use to obtain
an understanding of internal control?

Answer: The auditor often obtains an understanding of internal control

through previous experience with the entity and through the performance of risk
assessment procedures, such as the following:

4 © 2007 CCH. All Rights Reserved.

• Inquiries of management, supervisory, and staff personnel within the entity. For
example, the auditor may inquire about the types of accounting documents
used to process sales transactions and about the entity’s control activities that
have been implemented for authorizing a credit sale.
• Observation of client activities and the application of specific controls. The auditor
can observe client personnel in the process of preparing accounting records
and documents and carrying out their assigned accounting and control
functions.
• Inspection of documents, reports, or electronic files. By inspecting actual, com-
pleted documents, reports, or electronic files, the auditor can better understand
their application to the entity’s internal control.
• Reviewing an entity’s policy and systems manuals. This includes both: (1) policy man-
uals and documents, such as a corporate code of conduct; and (2) systems manuals
and documents, such as an accounting manual and an organization chart.

Observation of activities and inspection of accounting documents and records

can provide knowledge about the design of controls and whether they have been
implemented. They can be conveniently and effectively combined in the form of
a transaction walk-through. With that procedure, the auditor selects the appropri-
ate documents for the initiation of a transaction type and traces them through
the entire accounting process. Furthermore, at each stage of the processing steps,
the auditor makes inquiries, observes personnel activities, and inspects completed
documentation for the transactions selected.

Question 10: Is a specific form of documentation required in the working papers

for the auditor’s understanding of an entity’s internal control?

Answer: No. Although the auditor is required to document his or her under-
standing of an entity’s internal control, the form and extent of the documentation
is flexible and is influenced by various factors, such as the following: (1) the risks
of material misstatement at both the financial statement and the relevant asser-
tion levels; (2) the nature and complexity of the entity’s internal control; and
(3) the nature of the entity’s documentation of internal control. The documen-
tation could take the form of memoranda, flowcharts, questionnaires, decision
tables, or a combination of these. For most small business audits, memoranda of
the understanding may be sufficient. The documentation should be more exten-
sive for larger and more complex entities.

Question 11: What factors might the auditor consider in determining whether
a professional with information technology (IT) skills is needed on the audit
team?

Answer: In determining whether a professional with IT skills is needed on the

audit team, the auditor might consider factors, such as the following:

• The complexity of the entity’s systems and IT controls and the manner in
which they are used in conducting the entity’s business.
• The significance of changes made to existing systems or the implementation of
new systems.
• The extent to which data is shared among systems.
• The extent of the entity’s participation in electronic commerce.
• The entity’s use of emerging technologies.
• The significance of audit evidence that is available only in electronic form.

© 2007 CCH. All Rights Reserved. 5

 Question 12: What compensating controls should the auditor consider when
there is a lack of segregation of duties in a small business?

Answer: Smaller entities may find that certain types of control activities
are not relevant because of highly effective controls applied by management.
Management of a small business is often dominated by an individual who has
an ownership interest in the business. Therefore, a major compensating control
available in a small entity is the knowledge and concern of the top operating
person who is frequently an owner-manager. The close involvement of the owner-
manager usually compensates for inadequate separation of duties. Therefore, even
companies that have only a few employees may be able to assign their responsi-
bilities to achieve appropriate controls. For example, internal control of a small
business can be significantly strengthened if the owner-manager performs duties,
such as the following:

• Reviewing supporting documents for disbursements before signing the checks;

• Reviewing bank reconciliations prepared by the accounting clerk and follow-
ing up on major unusual reconciling differences;
• Reviewing customer accounts receivable statements before they are mailed;
• Approving credit to customers;
• Approving write-offs of accounts receivable balances considered uncollectible;
and
• Approving draw-downs on lines of credit.

ABOUT THE AUTHOR

George Georgiades, CPA, has more than 26 years of experience in public
accounting, including seven years with an international public accounting firm.
He currently has his own firm and consults exclusively with CPA firms on tech-
nical accounting and auditing issues. He is a member of the American Institute
of Certified Public Accountants and the California Society of Certified Public
Accountants and is the author of Audit Procedures, GAAS Practice Manual and
GAAP Financial Statement Disclosures Manual.

6 © 2007 CCH. All Rights Reserved.

 CCH LEARNING CENTER
CCH’s goal is to provide you with the clearest, most concise, and up-
to-date accounting and auditing information to help further your
professional development, as well as a convenient method to help you
satisfy your continuing professional education requirements. The CCH
Learning Center* offers a complete line of self-study courses covering
complex and constantly evolving accounting and auditing issues. We are
continually adding new courses to the library to help you stay current
on all the latest developments. The CCH Learning Center courses are
available 24 hours a day, seven days a week. You’ll get immediate exam
results and certification. To view our complete accounting and auditing
course catalog, go to: http://cch.learningcenter.com.

* CCH is registered with the National Association of State Boards of

Accountancy (NASBA) as a sponsor of continuing professional education on
the National Registry of CPE Sponsors. State boards of accountancy have final
authority on the acceptance of individual courses for CPE credit. Complaints
regarding registered sponsors may be addressed to the National Registry
of CPE Sponsors, 150 Fourth Avenue North, Nashville, TN 37219-2417.
Telephone: 615-880-4200.
* CCH is registered with the National Association of State Boards of Accountancy as
a Quality Assurance Service (QAS) sponsor of continuing professional education.
Participating state boards of accountancy have final authority on the acceptance of
individual courses for CPE credit. Complaints regarding QAS program sponsors may
be addressed to NASBA, 150 Fourth Avenue North, Suite 700, Nashville, TN 37219-
2417. Telephone: 615-880-4200.

© 2007 CCH. All Rights Reserved. 7

 AC C OU N T ING RE SE A RCH MA NAGER ™

Accounting Research Manager is the most comprehensive, up-to-date, and objective

online database of financial reporting literature. It includes all authoritative and
proposed accounting, auditing, and SEC literature, plus independent, expert-written
interpretive guidance. And, now, in addition to our standard accounting and SEC
libraries, you can enjoy the full spectrum of financial reporting with our new Audit
library.
The new Audit library covers auditing standards, attestation engagement standards,
accounting and review services standards, audit risk alerts, and other vital auditing-
related guidance. You’ll also have online access to our best-selling GAAS Practice
Manual, Audit Procedures, Compilations & Reviews, Attestation Engagements, CPA’s
Guide to Effective Engagement Letters, CPA’s Guide to Management Letter Comments, and
be kept up-to-date on the latest authoritative literature via the GAAS Update Service.
With Accounting Research Manager, you maximize the efficiency of your research
time while enhancing your results. Learn more about our content, our experts, and how
you can request a FREE trial by visiting us at www.accountingresearchmanager.com.

GAAS UPDATE SERVICE is published semimonthly by CCH, 4025 W. Peterson

Ave., Chicago, Illinois 60646. Periodicals postage paid at Chicago, Illinois, and
at additional mailing offices. POSTMASTER: SEND ADDRESS CHANGES TO
GAAS UPDATE SERVICE, 4025 W. PETERSON AVE., CHICAGO, IL 60646.
Printed in the U.S.A. © 2007 CCH. All Rights Reserved.

8 © 2007 CCH. All Rights Reserved.