SAS Update

by :

During 2005 and 2006, the American Institute of Certified Public Accountants issued several new standards to improve and clarify auditing standards in general.

There were two statements that were issued and became effective upon issuance:

Statement on Auditing Standards (SAS) Numbers 102 and 103.

SAS No.102, Defining Professional Requirements in Statement on Auditing Standards, clarifies steps in auditing standards that are “unconditional requirements" defined by works such as “must" and “is required to"; and steps that are “presumptively mandatory requirements" defined by words such as “should".

SAS No. 103, Audit Documentation, provides guidance on audit documentation as an essential element of audit quality. This standard also gives guidance on the date of the audit report which cannot be earlier than the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. As a result, the audit report date will need to be close to the date the reports are released

The American Institute of Certified Public Accountants also issued the Risk Assessment standard in March 2006. The project originated as a joint project with SAS No. 99, Consideration of Fraud in a Financial Statement Audit. These standards were issued because the Accounting Standards Board believes that they will strengthen auditing standards and provide a more in depth understanding of the entity and its environment, a more rigorous assessment of material misstatements and improved linkage between assessed risk and the nature, timing and extent of audit procedures performed.

The following standards are in the suite of SASs issued in connection with the Risk Assessment standards:

SAS No. 104 – Amendment to SAS No.1- Codification of Auditing Standards and Procedures

SAS No. 105 – Amendment to SAS No.95 – Generally Accepted Auditing Standards

SAS No. 106 – Audit Evidence

SAS No. 107 – Audit Risk and Materiality in Conducting and Audit

SAS No. 108 – Planning and Supervision

SAS No. 109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

SAS No. 110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

SAS No. 111- Amendment to SAS No. 39 - Audit Sampling

A greater understanding of the entity is required. Auditors are no longer able to assess control risk at maximum without a basis for that determination.

There are several steps auditors must take in applying the Risk Assessment Standards.

Gathering Information - The auditors must begin with gathering information about the entity and its environment, including its internal control. Information gathering should include at minimum information obtained from external factors; information about the nature of the client; information in connection with the objectives and strategies and related business risks of the client; information regarding the client’s measurement parameters including a review of the client’s financial performance; and information in connection with the client’s internal controls.

Understand the Entity - The auditor must also understand the entity and its environment, including its internal control. The auditor must anticipate and evaluate what could go wrong, and be able to synthesize the information gathered to determine how it might affect the financial statements. The auditor must also evaluate the design of the client’s controls and determine if those controls have been implemented (which is different than test of controls). In evaluating whether controls have been implemented, the auditor should determine if there is an awareness of the existence of the procedure in question and if the staff implementing the control have a working knowledge of how the procedure should be performed.

Assess Risk - The auditor must assess the risk of material misstatement by identifying risks throughout the process, relate the identified risks to what can go wrong at the relevant assertion level and consider whether the risks could result in a material misstatement to the financial statements. Once “significant risks" have been identified, the auditor can then design audit procedures accordingly.

Design Audit Procedures - The auditor should design overall responses and further audit procedures at both the financial statement level, and the relevant assertion level. In designing audit procedures, the auditor must provide and document a clear linkage between the assessment of the risk of material misstatement and the nature, timing and extent of the further audit procedures.