1. Home
  2. Flashcards
  3. Preview

812

  1. Communicating Internal Control Related Matters Under SAS No. 115

    812.1 SAS No. 115, Communicating Internal Control Related Matters Identified in an Audit (AU 325),
    establishes requirements for auditors to communicate certain control
    deficiencies including control deficiencies in a management agent's
    internal control, that they have identified during the audit.
    Control deficiencies which, in the auditor's judgment, are significant deficiencies or material weaknesses must be communicated in a written report.
  2. 812.2 SAS No. 115 establishes two requirements:
    • • The auditor should evaluate
    • identified control deficiencies and determine whether, individually or
    • in combination, they are significant deficiencies or material
    • weaknesses.

    • The auditor should communicate, in writing, to management and those
    • charged with governance all significant deficiencies or material
    • weaknesses identified during the audit, including those communicated in
    • prior audits if they have not been corrected.
  3. 812.3 To determine which control deficiencies to report, the auditor must first
    • identify control deficiencies, and then evaluate
    • them to determine whether the deficiencies, individually or in
    • combination, are significant deficiencies or material weaknesses.
  4. 812.4 Identifying Control Deficiencies
    SAS No. 115 indicates “a control deficiency exists when the design or
    operation of a control does not allow management or employees, in the
    normal course of performing their assigned functions, to prevent or
    detect
    • misstatements on a timely basis.” A
    • control deficiency may be either a deficiency in design or a deficiency
    • in operation. Deficiency in design and deficiency in operation are
    • discussed further in paragraph 812.10.
  5. 812.5 In a GAAS audit, an auditor
    is not required to perform procedures to identify deficiencies in
    internal control. However, an auditor may become aware of control
    deficiencies while performing audit procedures such as
    • obtaining an understanding of
    • internal control, assessing the risks of material misstatement of the
    • financial statements due to error or fraud, performing further audit
    • procedures to respond to assessed risks, and communicating with
    • management or others. Accordingly, an auditor's awareness of control
    • deficiencies varies with each audit and is influenced by the nature,
    • timing, and extent of audit procedures performed.
  6. 812.6 Evaluating Control Deficiencies
    Although there is no requirement to search for control deficiencies to
    report, the auditor should evaluate identified control deficiencies to
    determine if they are significant deficiencies or material weaknesses.
    • Auditors should evaluate control
    • deficiencies individually and in the aggregate by significant account
    • balance, disclosure, relevant assertion, and component of internal
    • control. This is because multiple control deficiencies that affect the
    • same financial statement account balance or disclosure increase the
    • likelihood of misstatement and may, in combination, constitute a
    • significant deficiency or material weakness even though they are
    • individually insignificant.
  7. 812.7 Significant Deficiency According to SAS No. 115 (AU 325.07), a significant deficiency is
    • “a deficiency, or combination of deficiencies, in internal control that
    • is less severe than a material weakness, yet important enough to merit
    • attention by those charged with governance.” Identified control
    • deficiencies should be evaluated to determine whether they are
    • significant deficiencies or material weaknesses.
  8. 812.8 Material Weakness A material weakness is defined by SAS No. 115 (AU 325.06)
    as a “deficiency, or combination of deficiencies, in internal control
    such that there is a reasonable possibility that a material misstatement
    of the entity's financial statements will not be prevented, or
    • detected and corrected, on a timely basis.” SAS No. 115 (AU 325)
    • requires auditors to separately identify significant deficiencies and
    • material weaknesses. The difference between a significant deficiency and
    • a material weakness is the severity of the control deficiency when
    • evaluated individually or in combination with other deficiencies. The
    • severity of an identified control deficiency depends on (a) the
    • magnitude of the potential misstatement resulting from the deficiency or
    • deficiencies and (b) whether there is a reasonable possibility that the
    • entity's controls will fail to prevent, or detect and correct, a
    • misstatement of an account balance or disclosure.
  9. 812.9 When evaluating the severity
    of an identified control deficiency under SAS No. 115, the authors
    believe most auditors will begin
    • by considering whether an
    • identified control deficiency should be considered a material weakness.
    • If not, they will consider its severity to determine whether it should
    • be communicated to management as a significant deficiency. Unlike
    • judgments about materiality, which can affect whether a client's
    • financial statements are fairly presented (and, thus, the auditor's
    • report), the auditor's judgment about the severity of an identified
    • control deficiency affects only whether the auditor communicates the
    • significant deficiency or material weakness to the client. Therefore,
    • when in doubt, the authors recommend communicating it to the client.
  10. 812.10 Examples of Deficiencies As discussed in paragraph 812.4, a control deficiency may be either a deficiency in design or a deficiency in operation. A deficiency in design exists when
    • a control necessary to meet the control objectives is missing or an
    • existing control is not properly designed so that, even if it operates
    • as designed, the control objective would not be met. A deficiency in operation
    • exists when a properly designed control does not operate as designed or
    • when the person performing the control lacks the necessary authority or
    • qualifications to perform the control effectively. Exhibit 8-5
    • lists examples from SAS No. 115 for both deficiencies in design and
    • deficiencies in operation. While SAS No. 115 distinguishes between the
    • two types of control deficiencies, there is no requirement to indicate
    • in the communication to management and those charged with governance
    • which are deficiencies in design and which are deficiencies in
    • operation. The examples in the exhibit may be control deficiencies,
    • significant deficiencies, or material weaknesses.
  11. Exhibit 8-5
    Examples of Circumstances That May Be Control Deficiencies,Significant Deficiencies, or Material Weaknesses

    Deficiencies in the Design of Controls
    • • Inadequate design of internal control over financial statements.
    • • Inadequate design of internal control over a significant account or process.
    • • Inadequate documentation of the internal control components.
    • • Insufficient control consciousness within the association, e.g., the tone at the top and the control environment.
    • • Absent or inadequate segregation of duties within a significant account or process.
    • Absent or inadequate controls over the safeguarding of assets (this
    • applies to controls that the auditor determines would be necessary for
    • effective internal control over financial reporting).
    • Inadequate design of information technology (IT) general and
    • application controls that prevent the information system from providing
    • complete and accurate information consistent with financial reporting
    • objectives and current needs.
    • • Employees or management
    • lack the qualifications and training to fulfill their assigned
    • functions. For example, the person responsible for the accounting and
    • reporting function lacks the skills and knowledge to apply GAAP in
    • recording transactions or preparing the financial statements.
    • • Inadequate design of monitoring controls used to assess the design and operating effectiveness of internal control over time.
    • • The absence of an internal process to report deficiencies in internal control to management on a timely basis.td dl { margin-top: 0px; margin-bottom: 0px; }Failures in the Operation of Internal Control
    • Failure in the operation of effectively designed controls over a
    • significant account or process, for example, the failure of a control
    • requiring dual authorization for significant disbursements.
    • Failure of the information and communication component of internal
    • control to provide complete and accurate output because of deficiencies
    • in timeliness, completeness, or accuracy.
    • • Failure of
    • controls designed to safeguard assets from loss, damage, or
    • misappropriation. [This circumstance may need careful consideration when
    • it is evaluated as a significant deficiency or material weakness.
    • Material weaknesses relating to controls over the safeguarding of assets
    • only exist if controls to prevent or detect a material misstatement of
    • the financial statements are ineffective.]
    • • Failure to reconcile significant accounts.
    • Undue bias or lack of objectivity by those responsible for accounting
    • decisions, for example, expenses are consistently understated at the
    • direction of management.
    • • Misrepresentation by client personnel to the auditor
    • .• Management override of controls.
    • • Failure of an application control caused by a deficiency in the design or operation of an IT general control.
    • An observed deviation rate that exceeds the number of deviations
    • expected by the auditor in the test of the operating effectiveness of a
    • control.
  12. 812.11 Factors to Consider When Evaluating Control Deficiencies
    The auditor considers both the likelihood and magnitude of potential misstatement when evaluating control deficiencies.
    • If, in the auditor's professional
    • judgment, the likelihood that a misstatement could have occurred because
    • of a control deficiency is remote, the auditor can conclude that the
    • control deficiency does not rise to the level of a significant
    • deficiency or material weakness. Accordingly, the magnitude of the
    • misstatement does not matter.
  13. If, however, the auditor believes
    that it is at least reasonably possible that a misstatement could occur
    because of a control deficiency, the auditor should also evaluate the
    magnitude of the deficiency to determine whether it results in a
    significant deficiency or material weakness. In evaluating the
    likelihood of a misstatement, the auditor might consider risk factors
    such as:
    • • The nature of the accounts, disclosures, and assertions involved, e.g., suspense accounts may present more risk.
    • • Susceptibility of the related assets or liabilities to loss or fraud.
    • • The complexity, subjectivity, and extent of judgment needed to determine the amount involved.
    • • The relationship and interaction of the control with other controls.• Interaction of the control deficiency with other control deficiencies.
    • • Possible future consequences of the deficiency.
  14. 812.12 Indicators of Material Weaknesses. According to SAS No. 115, the following conditions are indicators of material weaknesses:
    • • Identification of fraud, whether or not material, on the part of senior management.
    • Restatement of previously issued financial statements to reflect the
    • correction of a material misstatement due to error or fraud.
    • Identification by the auditor of a material misstatement of the
    • financial statements under audit in circumstances indicating that the
    • misstatement would not have been detected by the entity's internal
    • control.
    • • Ineffective oversight of the entity's financial reporting and internal control by those charged with governance.
  15. 812.13 While SAS No. 115
    identifies the factors described in the preceding paragraph only as
    indicators of material weaknesses, the authors believe auditors
    generally would consider such deficiencies
    material weaknesses unless, as discussed beginning at paragraph 812.24, there are compensating controls that mitigate the severity of the deficiency.
  16. 812.14 Can the Auditor Draft the Financial Statements?
    A question that frequently arises is whether auditors can draft the
    client's financial statements without having to report a significant
    deficiency or material weakness
    • Asking the auditor to draft
    • financial statements does not cause a control deficiency. However, it
    • may be the result of a control deficiency. The intent of SAS No. 115 is
    • not to prevent auditors from drafting the client's financial statements.
    • Instead, the issue to be considered when determining if a significant
    • deficiency or material weakness exists is whether the client is capable
    • of preparing the financial statements and has the skills and
    • competencies necessary to prevent, detect, and correct a material
    • misstatement. A system of internal control over financial reporting
    • includes controls over financial statement preparation, including note
    • disclosures. A control deficiency exists when the client does not have
    • controls over preparation of the financial statements that would prevent
    • or detect a misstatement in the financial statements.
  17. 812.15 If the client is not
    capable of drafting the financial statements and lacks the skills and
    competencies to prevent, detect, and correct a misstatement, the client
    has a control deficiency that is probably a material weakness. The
    auditor can still
    • draft the financial statements but
    • the material weakness must be communicated to those charged with
    • governance. The fact that the auditor drafts the financial statements
    • may mean they are correct, but it does not eliminate the control
    • deficiency because an auditor cannot be considered part of the client's
    • internal control. Thus, controls over the financial statement
    • preparation function that exist in the auditor's firm cannot be
    • considered. Only the controls the client has in place can be considered
    • in determining whether there is a control deficiency and its severity.
    • (However, a CPA firm other than the auditor's firm can be part of the
    • client's internal control, and those controls could be considered.)
  18. 812.16 It is important for the
    client to know that even if the auditor drafts the financial statements
    and the related notes, the client remains responsible for them.
    • The authors recommend that the
    • auditor clearly communicate to management and those charged with
    • governance that the financial statements are the responsibility of
    • management. Further, management and those charged with governance need
    • to be made aware of the possible consequences of not correcting control
    • deficiencies.
  19. 812.17 Another way of looking at
    the issue is to consider whether the client has sufficient knowledge to
    identify a material misstatement in the auditor-prepared financial
    statements.
    • If the auditor gave financial
    • statements to a CIRA client knowing that they contained material errors,
    • would the client have controls in place that would detect those
    • misstatements? For example, would the client recognize a misstatement in
    • the income tax accrual, identify an error in the recording of transfers
    • to the repair and replacement fund, or notice that an important
    • disclosure had been omitted from the notes to the financial statements?
    • If the answer to questions such as these is “no,” the authors believe
    • the client lacks the skills and competencies to prevent, detect, and
    • correct a misstatement and, therefore, has a control deficiency that is
    • probably a material weaknesses.
  20. 812.18 It is important to
    distinguish between the auditor's responsibilities under the AICPA
    Ethics Rules and SAS No. 115. Ethics Rule 101 requires independence in
    performance of an audit. According to Ethics Interpretation 101-3, Performance of Nonattest Services, before auditors perform nonattest services, they should determine that the requirements of 101-3 have been met.
    • Chapter 1
    • discusses Interpretation 101-3 in further detail. The determination of
    • auditor independence is totally separate from the evaluation of whether
    • there is a control deficiency. Even though the auditor can prepare
    • financial statements and maintain independence under the ethics rules,
    • there could be a control deficiency. It is important to note that there
    • are two levels of understanding of accounting and financial reporting
    • required by SAS No. 115 and Interpretation 101-3. Under SAS No. 115, the
    • issue to be considered is whether the client is capable of performing
    • accounting functions and preparing the financial statements and has the
    • skills and competencies necessary to prevent, detect, and correct a
    • misstatement. Under Interpretation 101-3, the auditor may assist
    • management in performing management functions or making management
    • decisions if they meet certain criteria. Among those criteria,
    • Interpretation 101-3 allows clients to designate an individual who
    • possesses suitable skill, knowledge, or experience, preferably within
    • senior management, to oversee nonattest services. Possessing suitable
    • skill, knowledge, or experience to oversee a service requires a lower
    • level of technical knowledge than the competence criteria in SAS No.
    • 115.
  21. 812.19 Under Ethics Interpretation 101-3,
    establishing and maintaining (or functioning as) the client's internal
    controls would impair the auditor's independence. However, proposing
    journal entries or preparing the client's financial statements would not
    • automatically impair independence. As a practical matter, small and
    • midsize entities typically view proposing journal entries and preparing
    • financial statements as part of the audit, and, based on implementation
    • guidance published by the AICPA Professional Ethics Executive Committee
    • (PEEC), the authors believe it is clear that PEEC did not intend for
    • Interpretation 101-3 to require
    • viewing those services as separate from the audit. Thus, proposing
    • journal entries and preparing financial statements in connection with an
    • audit would not impair independence.
  22. 812.20 Determining whether a control deficiency exists and whether it is a significant deficiency or a material weakness is
    • subjective and often may be a
    • difficult judgment call. There are many gray areas requiring
    • professional judgment. The authors believe that auditors cannot draw a
    • hard line on what constitutes a significant deficiency or a material
    • weakness. Instead, auditors must evaluate the facts and circumstances
    • specific to each situation.
  23. 812.21 Auditor Identifies Misstatements in the Financial Statements
    During the course of an audit, an auditor might identify (and propose
    adjustments to correct) any number of errors, some of which may be
    material to the CIRA's financial statements. SAS No. 115 states that the
    auditor's identification of a material misstatement of the financial
    statements in circumstances that indicate that it would not have been
    identified by the entity's internal control is an indicator of a
    material weakness. Therefore,
    • whenever the auditor identifies a
    • material misstatement in the financial statements, he or she should
    • evaluate whether the control deficiency that allowed the misstatement to
    • occur represents a material weakness or a significant deficiency.
  24. 812.22 If an auditor identifies a misstatement that is less than material, the authors believe the auditor also should
    • evaluate whether the control
    • deficiency that allowed the misstatement to occur represents a control
    • deficiency, a significant deficiency, or a material weakness. If the
    • auditor determines the control deficiency is, individually or when
    • aggregated with other deficiencies, a significant deficiency or a
    • material weakness, SAS No. 115 requires the auditor to communicate the
    • deficiencies to the appropriate parties.
  25. 812.23 Aggregation of Deficiencies
    SAS No. 115 requires auditors to evaluate control deficiencies both
    individually and in the aggregate by significant account balance,
    disclosure, relevant assertion
    • and component of internal control
    • to determine whether they represent a significant deficiency or material
    • weakness on an aggregate basis. An auditor may consider several control
    • deficiencies in and of themselves insignificant and, thus, only a
    • control deficiency. However, if those control deficiencies are all
    • related (for example, they all relate to the same account balance or
    • same component), the requirement in SAS No. 115 to aggregate control
    • deficiencies by significant account might cause the auditor to consider
    • them a significant deficiency or a material weakness when aggregated.
  26. 812.24 Mitigating Effects of Compensating Controls
    The auditor's focus is generally on controls that work. When the
    auditor identifies deficiencies in controls, there may be redundant
    controls that achieve the same objectives (see paragraph 812.25) or mitigating controls that limit the severity of the control deficiencies.
    • When a control deficiency has been identified, SAS No. 115 (AU 325.14)
    • states the auditor may consider (but is not required to consider)
    • whether there are compensating controls that could prevent the
    • identified deficiency from being considered a material weakness or a
    • significant deficiency. Compensating controls should be evaluated to
    • determine if they mitigate the severity of a control deficiency such
    • that it does not rise to the level of a significant deficiency or
    • material weakness. Compensating controls that the auditor tests and
    • evaluates as part of the audit may be considered for possible mitigating
    • effects. However, even though a deficiency does not rise to the level
    • of a significant deficiency, the control deficiency still exists.
    • Compensating controls can only mitigate—not eliminate—a control
    • deficiency.
  27. 812.25 Redundant Controls Redundant controls are controls that duplicate other controls and achieve the same objectives.
    • Unlike compensating controls,
    • redundant controls can eliminate a control deficiency. Therefore, if a
    • CIRA client has a control that is not properly designed and operating,
    • but a redundant control achieves the same objectives as the deficient
    • control, the auditor can test the design and operating effectiveness of
    • the redundant control. If the redundant control is found to be
    • effective, the auditor can conclude that there is no control deficiency.
  28. 812.26 Prudent Official Assessment
    SAS No. 115 requires auditors to consider whether prudent officials,
    having knowledge of the same facts and circumstances, would agree with
    the auditor's conclusion that an identified deficiency is not a material
    weakness. In other words
    • would a prudent official, knowing
    • what the auditor knows about the facts and circumstances, other controls
    • tested, and the likelihood and magnitude of potential misstatement,
    • agree with the auditor's conclusion that a deficiency is not a material
    • weakness? The SAS does not define the term prudent official.
    • Instead, the intent is for the auditor to take a final, objective look
    • at the severity of the deficiency similar to what a regulator or someone
    • in an agency oversight role would do. This objective consideration is
    • used only to gauge whether the judged severity of a control deficiency
    • should be increased—not to justify a decrease in the severity.
  29. 812.27 Control Deficiency Worksheets The “Control Deficiency Evaluation and Aggregation Worksheet” at HOA-CX-15.1
    has been designed to help auditors summarize and evaluate whether
    control deficiencies, either individually or in combination, are
    significant deficiencies or material weaknesses.
    • Auditors also may find the “Control Deficiency Comment and Management Point Development Worksheet” at HOA-CX-15.2
    • helpful when developing information about a control deficiency for
    • communication to management and those charged with governance.
  30. 812.28 Communication Requirements
    The auditor must communicate significant deficiencies and material
    weaknesses identified during the audit, including significant
    deficiencies and material weaknesses in a managing agent's internal
    control, in writing to management and those charged with governance.
    • SAS No. 103 defines those charged with governance
    • as the persons responsible for overseeing the strategic direction of
    • the entity and obligations related to the accountability of the entity,
    • including oversight of the financial reporting and disclosure process.
    • In a CIRA, those charged with governance may include the CIRA's board of
    • directors, audit committee (if any), and the management company.
  31. 812.29 The communication is best
    made by the report release date but, in any case, should be made within
    60 days of that date. The report release date is defined in SAS No. 103 (AU 339), Audit Documentation,
    as the date that the auditor grants the entity permission to use the
    auditor's report in connection with the financial statements. The
    communication of significant deficiencies should include the following
    elements:
    • • A statement that indicates the purpose of the auditor's
    • consideration of internal control was to express an opinion on the
    • financial statements, but not to express an opinion on the effectiveness
    • of the entity's internal control.
    • • A statement that indicates the auditor is not expressing an opinion on the effectiveness of internal control.
    • A statement that indicates that the auditor's consideration of
    • internal control was not designed to identify all deficiencies in
    • internal control that might be significant deficiencies or material
    • weaknesses.
    • • The definition of the term material weakness and, where relevant, the definition of the term significant deficiency.
    • An identification of matters that are considered to be significant
    • deficiencies and those that are considered to be material weaknesses.
    • A statement that indicates the communication is intended solely for
    • the information and use of management, those charged with governance,
    • and others within the organization and is not intended to be and should
    • not be used by anyone other than these specified parties. If an entity
    • is required to furnish such auditor communications to a governmental
    • authority, specific reference to such governmental authorities may be
    • made.
  32. 812.30 SAS No. 115 requires
    significant deficiencies and material weaknesses reported in prior years
    that still exist to be reported again
    • The authors believe there should be
    • an indication that the same comments were made in prior communications.
    • For convenience, such comments may be presented separately from new
    • comments under a heading such as “Significant Deficiencies Communicated
    • in Prior Years.” Prior-year comments typically are presented after new
    • comments. The communication may merely refer to the previously-issued
    • communication and its date.
  33. 812.31 The auditor may orally
    communicate significant deficiencies and material weaknesses during the
    audit. These communications need not be in writing at the interim date.
    However,
    • communications of significant
    • deficiencies or material weaknesses ultimately must be communicated in
    • writing to management and those charged with governance.
  34. 812.32 Reporting When There Are No Significant Deficiencies
    To prevent potential misunderstandings, SAS No. 115 prohibits the
    auditor from issuing a written communication stating that no significant
    deficiencies were noted during the audit.
    • Therefore, if no significant
    • deficiencies or material weaknesses were identified in an audit
    • engagement, no SAS No. 115 communication would be provided to the
    • client. Even though there may be no significant deficiencies, less
    • serious control deficiencies may still exist, and SAS No. 115 does not
    • preclude auditors from communicating those to management. The form of
    • communication is not subject to the requirements of SAS No. 115.
    • Accordingly, auditors may want to include the deficiencies in a separate
    • communication such as a management letter. Management letters are
    • discussed in paragraph 812.35.
  35. 812.33 Reporting When There Are No Material Weaknesses The auditors' communication of significant deficiencies may indicate that no material weaknesses were noted.
    • Thus, auditors may discuss the absence of material weaknesses but not the absence of significant deficiencies. Because SAS No. 115 (AU 325.24) specifically allows an auditor to provide a communication of no material weaknesses to a governmental authority,
    • some believe that auditors are not permitted to provide such a
    • communication to other third-party users. The authors caution auditors
    • to consult with their legal counsel about the potential risks involved
    • before agreeing to furnish such a communication to other third-party
    • users.
  36. 812.34 Illustrative Communications The following may be used to communicate significant deficiencies and, when applicable, material weaknesses:
    • • HOA-CL-4.1: Communication of Significant Deficiencies.
    • • HOA-CL-4.2: Communication of Significant Deficiencies and Material Weaknesses.
    • • HOA-CL-4.3: Communication of No Material Weaknesses in a Separate Report.
  37. 812.35 Management Letter Comments
    During the audit, the auditors may identify control deficiencies they
    do not consider to be significant deficiencies or material weaknesses.
    In addition,
    • other suggestions on how to
    • improve administrative or other functions (for example, legal
    • requirements, operational efficiencies, and tax strategies) may be
    • identified. There is no requirement to communicate these other control
    • deficiencies. However, if the auditor decides to communicate such
    • matters, SAS No. 115 (AU 325)
    • indicates that the communication can be made orally; however, any oral
    • communications should be documented in the audit workpapers. All such
    • matters are sometimes called management points, and as a matter of
    • client service, most auditors take time to educate and inform the client
    • by preparing a formal “management letter.” An example of an
    • introductory transmittal letter of management points is presented in
    • Appendix 8B-1.
  38. Communication with Those Charged with Governance

    812.36 SAS No. 114, The Auditor's Communication With Those Charged With Governance, 18 establishes the following unconditional communication responsibility:
    • The auditor must communicate with those charged with governance matters
    • related to the financial statement audit that are, in the auditor's
    • professional judgment, significant and relevant to the responsibilities
    • of those charged with governance in overseeing the financial reporting
    • process (SAS No. 114, Paragraph 5).
  39. 812.37 The communication
    requirements of SAS No. 114 apply to all entities, regardless of their
    governance structure or size. However, the standard does provide
    specific considerations for situations where
    • all of those charged with
    • governance are also involved in managing the entity. SAS No. 114 does
    • not establish requirements for communication with management or owners
    • unless they are also charged with a governance role.
  40. 812.38 The term those charged with governance replaces references in prior SASs to the board of directors or audit committee, but is much broader in scope. It includes
    • all “person(s) with responsibility
    • for overseeing the strategic direction of the entity and obligations
    • related to the accountability of the entity. This includes overseeing
    • the financial reporting process” (SAS No. 114, Paragraph 3).
  41. 812.39 In some small CIRAs, the appropriate person(s) with whom to communicate may not be clearly identifiable.
    • In this situation, the auditor and
    • the engaging party should agree on who are the appropriate person(s)
    • within the governance structure. Also, if all those charged with
    • governance are involved in managing the CIRA, the auditor should
    • consider whether communication with the person(s) with financial
    • reporting responsibilities adequately informs all of those with whom the
    • auditor would otherwise have to communicate because of their governance
    • role. Many governing bodies have subgroups, such as audit committees or
    • similar groups. The auditor should evaluate whether communication with a
    • subgroup of those charged with governance (or with an individual)
    • adequately meets the auditor's responsibility to communicate with those
    • charged with governance.
  42. 812.40 The auditor should communicate the following broad categories or matters to those charged with governance:
    a. The auditor's responsibilities under generally accepted auditing standards.b. An overview of the planned scope and timing of the audit.c. Significant findings from the audit.
  43. 812.41 Responsibilities Under GAAS The auditor should communicate the following matters:
    • a. The auditor is
    • responsible for forming and expressing an opinion about whether the
    • financial statements are presented fairly, in all material respects, in
    • conformity with GAAP.
    • b.
    • The audit of the financial statements does not relieve management or
    • those charged with governance of their responsibilities.

    • The
    • auditor may communicate these matters through the engagement letter or
    • similar means as long as that communication is provided to those charged
    • with governance. The auditor may simultaneously communicate other
    • matters, such as the degree of responsibility assumed for errors or
    • fraud, internal control, and similar matters.
  44. 812.43 Significant Audit Findings The auditor should communicate the following matters:
    • a. Qualitative Aspects of the Entity's Significant Accounting Practices.
    • The appropriateness of the accounting policies to the particular
    • circumstances of the CIRA, management's process for identifying and
    • making significant estimates, and the neutrality, consistency, and
    • clarity of disclosures. If the auditor considers a significant
    • accounting practice to be inappropriate, the auditor should explain why
    • and request changes.

    • b. Significant Difficulties Encountered During the Audit.
    • Explicit and implicit restrictions imposed by management, including
    • significant delays in providing required information, unavailability of
    • expected information, an unnecessarily brief time to complete the audit,
    • or unexpected effort to obtain sufficient, appropriate audit evidence.

    • c. Uncorrected Misstatements.
    • The effect that individual uncorrected misstatements from the current
    • and prior period may have on the opinion, and the implications of
    • failing to correct, considering qualitative as well as quantitative
    • factors.

    • d. Disagreements with Management.
    • Whether or not satisfactorily resolved, differences with management
    • about application of accounting principles, audit scope, or reporting
    • disclosures, and similar matters that individually or in the aggregate
    • could be significant to the CIRA's financial statements or the auditor's
    • report.

    • e. Independence.
    • Circumstances or relationships that in the auditor's professional
    • judgment may reasonably be thought to bear on independence. (SAS No. 114
    • does not mandate this communication, but states the auditor “may
    • determine” it is appropriate.)
  45. 812.44 In addition to the matters listed in paragraph 812.43,
    unless all those charged with governance are involved in managing the
    entity, the auditor also should communicate the following:
    a. Material Corrected Misstatements. Misstatements brought to the attention of management as a result of auditing procedures.

    b. Representations Requested from Management. This may be done by providing a copy of the written representations obtained from management.

    c. Management's Consultations with Other Accountants. The auditor's views about significant accounting or auditing matters that were the subject of consultation.

    • d. Significant Issues Discussed, or Subject to Correspondence with, Management.
    • Issues such as application of accounting principles and auditing
    • standards; and business conditions, plans or strategies that may affect
    • the risks of material misstatement.
  46. 812.45 The significant audit findings (see beginning at paragraph 812.43) should be communicated in writing when the auditor believes that oral communication would not be adequate.
    • When the communication is in writing, the auditor should indicate that
    • it is intended solely for the information and use of those charged with
    • governance and, if appropriate, management, and is not intended to be
    • and should not be used by anyone other than these specified parties. The
    • communication should be on a sufficiently timely basis to permit
    • appropriate action. The auditor should evaluate whether the two-way
    • communication process with those charged with governance is adequate
    • and, if it is not, consider the effects of the risks of material
    • misstatements and the sufficiency and appropriateness of the audit
    • evidence supporting the auditor's opinion.
  47. 812.46 SAS No. 114 does not change the following communication requirements of other SASs:
    a. SAS No. 54 (AU 317.17), Illegal Acts by Clients, to communicate with the audit committee, or others with equivalent authority and responsibility, illegal acts.

    • b. SAS No. 99 (AU 316.22), Consideration of Fraud in a Financial Statement Audit,
    • to inquire directly of the audit committee (or at least its chairman)
    • regarding its views on risks of fraud and knowledge of fraud or
    • suspected fraud.

    • c. SAS No. 99 (AU 316.79),
    • to communicate with those charged with governance all fraud involving
    • senior management and any other fraud that causes a material
    • misstatement on the financial statements.

    • d. SAS No. 115 (AU 325.20), Communicating Internal Control Related Matters Identified in an Audit,
    • to communicate in writing to management and those charged with
    • governance control deficiencies that are considered significant
    • deficiencies or material weakness.

    • e. SAS No. 59 (AU 341.17), An Entity's Ability to Continue as a Going Concern,
    • the effects on the audit report and financial statement disclosures, as
    • well as the nature of conditions and events identified, when the
    • auditor concludes there is a substantial doubt about the entity's
    • ability to continue as a going concern for a reasonable period of time.
  48. 812.47 Documentation of Communications SAS No. 114 requires the auditor to document matters that have been communicated orally
    • This documentation may include a
    • copy of minutes prepared by the entity. When matters have been
    • communicated in writing, the auditor should retain a copy of the
    • communication. HOA-CL-5.1, “Communication with Those Charged with
    • Governance during Planning” and HOA-CL-5.2, “Communication with Those
    • Charged with Governance at or Near the Conclusion of the Audit” provide
    • drafting illustrations that can be used to communicate with those
    • charged with governance.
  49. Fraud and Illegal Acts

    812.48 The auditor's
    responsibility to evaluate the results of audit procedures and consider
    whether they lead the auditor to believe
    • that an error or fraud may have occurred is discussed beginning at paragraph 810.1. In addition, Chapter 6
    • discusses the auditor's detection and communication responsibilities
    • under SAS No. 99 related to misstatements caused by fraud. SAS No. 54, 19 Illegal Acts by Clients (AU 317),
    • imposes detection and communication responsibilities for illegal acts,
    • that is, for violations of laws and regulations that have a direct and material
    • effect on the determination of financial statement amounts. (Federal
    • income tax status governing CIRAs, for example, contain laws and
    • regulators that could have a direct and possibly material effect on the
    • financial statements.) SAS No. 54 imposes lesser responsibilities for detection of illegal acts having material but indirect
    • effects on the determination of financial statement amounts (the
    • auditor only need be aware of the possibility that they may have
    • occurred) and establishes communication responsibilities for those acts. 20
  50. 812.49 When the auditor is
    confronted with a discrepancy between the accounting records and other
    evidential matter (for example, no supporting documentation or no
    apparent authorization for a transaction, or discovery of documents for
    transactions that are not recorded), the auditor needs to consider how
    and why they might have occurred and investigate further. If the
    investigation indicates there may have been fraud or an illegal act, the
    auditor should:
    • a. Obtain an understanding of
    • the matter and other sufficient information to evaluate the possible
    • effects on the financial statements and the auditor's report, including
    • the need for adjustments and for disclosure of illegal acts and any
    • related contingencies, or the need for a report modification if
    • necessary financial statement adjustments or disclosures are not made or
    • because of a scope limitation).

    b. Consider the implications for other aspects of the audit, for example, reliance on management's representations.

    • c.
    • Discuss the matter and the need for any further investigation with an
    • appropriate level of management at least one level above those involved.

    • d.
    • Consult with the CIRA's legal counsel (or suggest that the CIRA
    • consult with legal counsel as appropriate) on any questions of law and
    • on the course of action the client should take.

    • In the rare event that management
    • is not willing to follow sound legal advice about fraud or illegal acts,
    • the auditor should seek the recommendation of a lawyer on his or her
    • own legal responsibilities, including possible withdrawal from the
    • engagement. The auditor would, of course, carefully document all
    • communications related to the matter and its disposition.
  51. 812.53 Communication about Fraud
    SAS No. 54 requires the auditor to be sure that the audit committee
    or others charged with governance is adequately informed about any
    illegal acts, unless clearly inconsequential, that come to the auditor's
    attention.
    • As discussed in Chapter 6, if the auditor determines there is evidence that fraud may exist (even if the matter is inconsequential), SAS No. 99 (AU 316.79)
    • requires the auditor to report it to the appropriate level of
    • management. If the fraud or potential fraud involves senior management
    • or causes the financial statements to be materially misstated, it should
    • be reported directly to those charged with governance. Auditors are
    • also required to reach an understanding with those charged with
    • governance about the nature and extent of communication about
    • misappropriations committed by lower level employees. In the absence of
    • such an agreement, the authors believe the auditor should report all
    • instances of fraud to both the appropriate level of management and to
    • those charged with governance. The authors recommend that communications
    • about possible fraud be made in writing; if made orally, the nature of
    • the communication should be documented in the workpapers.
  52. 812.54 Both SAS No. 54 and SAS No.
    99 state that the auditor ordinarily is not responsible for disclosing
    fraud or other illegal acts to parties other than senior management and
    its audit committee
    • However, state laws may require
    • communication of certain illegal acts. The authors recommend that
    • auditors seek legal advice in those situations.
  53. Communication about the CIRA's Ability to Continue as a Going Concern

    812.55 SAS No. 114 amends SAS No. 59, The Auditor's Consideration of an Entity's Ability to Continue as a Going Concern,
    to require the auditor to communicate with those charged with
    governance events or conditions that, when considered in the aggregate,
    indicate a substantial doubt about the CIRA's ability to continue as a
    going concern for a reasonable period of time. The auditor should
    communicate the following to those charged with governance (AU 341.17):
    • The nature of the events or conditions identified

    .• The possible effect on the financial statements and the adequacy of related disclosures in the financial statements.

    • The effects on the auditor's report.
Author
Kshowalter
ID
57711
Card Set
812
Description
812
Updated

  1. Home
  2. Flashcards
  3. Preview