Professional Documents
Culture Documents
Gaas 109 Faq
Gaas 109 Faq
GAAS
UPDATE SERVICE
Volume 07, Issue 15 August 15, 2007
With the release of Statements on Auditing Standards (SAS) Nos. 104 through
111 (collectively referred to as the “Risk Assessment Standards”), significant
changes are expected to result to existing audit practice. The Risk Assessment
Standards are effective for audits of financial statements for periods beginning
on or after December 15, 2006. One of the Risk Assessment Standards, SAS No.
109, Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement (SAS-109), requires the auditor, among other matters, to: (1) per-
form risk assessment procedures to obtain an understanding of the entity and its
environment, including its internal control; (2) discuss the susceptibility of the
entity’s financial statements to material misstatements with members of the audit
team; (3) determine whether changes have occurred to information obtained in
prior periods, such as internal control and risk assessments, which would affect its
relevance to the current audit if the auditor plans to rely on that information; and
(4) identify and assess the risks of material misstatement at the financial statement
level and at the relevant assertion levels for classes of transactions, account bal-
ances, and disclosures.
SAS-109 was covered in detail in the August 30, 2006, September 15, 2006,
and September 30, 2006 GAAS Update Service. This GAAS Update Service focuses
on practical issues relating to SAS-109 by using a “Question & Answer” format
designed to provide practical discussion, advice, and specific implementation
guidance.
Analysis & Explanation
Question 1: Besides making inquiries of management, to whom within the
entity might the auditor direct his or her inquiries when performing risk assess-
ment procedures?
• Persons charged with governance, such as the audit committee or the board of
directors, to gain an understanding of the environment in which the financial
statements are prepared.
• Internal auditors, to obtain information about: (1) their activities concern-
ing the design and effectiveness of internal control; and (2) management’s
responses to internal audit findings.
• Operating personnel who are not directly involved in financial reporting,
such as marketing, sales, or production personnel, to obtain information about
changes in the entity’s strategies and trends or in its contractual relationships.
• Employees involved in initiating, authorizing, recording, or processing unusual
or complex transactions, to assist the auditor in evaluating the appropriateness
of the accounting policies used.
• In-house legal counsel, to acquire information about matters, such as contracts,
compliance with laws and regulations, fraud, litigation, warranties, and post-
sale obligations.
• Help the audit team gain a better understanding of the potential for material
misstatement due to fraud or error;
• Help audit team members understand how the results of the audit procedures
they perform may affect other audit areas;
• Give more experienced team members an opportunity to share their knowledge
about the entity; and
• Enable team members to exchange information about the entity’s business risk
and the susceptibility of the financial statements to material misstatement.
Question 3: What are some of the critical issues that should be covered in the
engagement team’s discussion of the susceptibility of the financial statements to
material misstatements?
Answer: The discussion among the audit team of the susceptibility of the finan-
cial statements to material misstatements should cover critical issues, such as:
Question 4: Is the auditor required to consider and understand all controls that
exist within an entity?
Answer: No. Generally, controls that are relevant to an audit pertain to the
entity’s objective of preparing its financial statements that are fairly presented in
conformity with GAAP or an other comprehensive basis of accounting. Entities
typically have additional controls that are not necessarily relevant to an audit
and, therefore, need not be considered. Examples include controls relating to the
effectiveness, economy, and efficiency of certain management decision-making
processes, such as whether to make expenditures for certain research and develop-
ment or advertising activities.
Also, although internal control is relevant to the entire entity or to any of its
operating units or business functions, an understanding of internal control rel-
evant to each of the entity’s operating units and business functions may not be
necessary.
Generally speaking, a financial audit would concentrate primarily on the
controls over financial reporting because these are the controls that are the
most likely to be meaningful to the audit. It may be helpful, however, to assess
controls in other areas that are relevant to the audit work, such as the devel-
opment of production statistics to be used in analytical procedures. Controls
over compliance with laws and regulations, such as employment practices and
occupational health and safety, although important to the company, ordinarily
do not have a direct effect on the financial statements and therefore need not
be assessed.
Question 5: What are the primary reasons for the auditor’s required under-
standing of any internal control system?
• Determine whether the entity is auditable (i.e., the auditor must obtain infor-
mation about the integrity of management and the nature and extent of the
entity’s accounting records to be satisfied that sufficient competent evidence is
available to support the financial statements);
• Identify the types of potential misstatements, whether caused by error or by
fraud, that could occur in the financial statements;
• Consider factors that affect the risk that material misstatements will occur;
• Design tests of controls, when applicable; and
• Design substantive tests (i.e., the information obtained should allow the audi-
tor to design effective tests of financial statement balances, including tests of
details of transactions and balances, and analytical procedures).
Question 7: What are some signals that typically should increase the auditor’s
concern about the effectiveness of an entity’s control environment?
Answer: The following are some signals that generally should increase the
auditor’s concern about the effectiveness of an entity’s control environment:
Answer: Yes. Many entities use service organizations (e.g., banks, brokerage
firms, or electronic data processing service centers) to perform some or all of their
data processing. Entities that process certain transactions in-house have complete
control and responsibility for that function. On the other hand, entities that use
service organizations generally lose a certain degree of control over the portion of
their financial reporting information system maintained by the service organiza-
tion. They generally have limited ability and authority to define or enforce control
activities to be adopted or followed by the service organization.
Therefore, the auditor’s understanding of an entity’s financial reporting infor-
mation system should include the accounting system maintained by the service
organization.
Question 9: What are some of the procedures that the auditor can use to obtain
an understanding of internal control?
Answer: No. Although the auditor is required to document his or her under-
standing of an entity’s internal control, the form and extent of the documentation
is flexible and is influenced by various factors, such as the following: (1) the risks
of material misstatement at both the financial statement and the relevant asser-
tion levels; (2) the nature and complexity of the entity’s internal control; and
(3) the nature of the entity’s documentation of internal control. The documen-
tation could take the form of memoranda, flowcharts, questionnaires, decision
tables, or a combination of these. For most small business audits, memoranda of
the understanding may be sufficient. The documentation should be more exten-
sive for larger and more complex entities.
Question 11: What factors might the auditor consider in determining whether
a professional with information technology (IT) skills is needed on the audit
team?
• The complexity of the entity’s systems and IT controls and the manner in
which they are used in conducting the entity’s business.
• The significance of changes made to existing systems or the implementation of
new systems.
• The extent to which data is shared among systems.
• The extent of the entity’s participation in electronic commerce.
• The entity’s use of emerging technologies.
• The significance of audit evidence that is available only in electronic form.
Answer: Smaller entities may find that certain types of control activities
are not relevant because of highly effective controls applied by management.
Management of a small business is often dominated by an individual who has
an ownership interest in the business. Therefore, a major compensating control
available in a small entity is the knowledge and concern of the top operating
person who is frequently an owner-manager. The close involvement of the owner-
manager usually compensates for inadequate separation of duties. Therefore, even
companies that have only a few employees may be able to assign their responsi-
bilities to achieve appropriate controls. For example, internal control of a small
business can be significantly strengthened if the owner-manager performs duties,
such as the following: