SAS no. 55 - help has arrived.
The Audit Guide Consideration of the Internal Control Structure in a Financial Statement Audit can help answer those questions. Issued by the AICPA auditing standards board's control risk audit guide task force, the guide provides information that can help auditors determine how to apply SAS no. 55 in a broad range of audit engagements.
WHY WAS THE GUIDE
Issue din 1988, SAS no. 55 covers audits of financial statements for periods beginning on or after January 1, 1990. It requires the auditor, in every audit, to do both of the following:
* Obtain an understanding of each element of the internal control structure (control environment, accounting system and control procedures) sufficient to plan the audit.
* Assess control risk for assertions related to significant account balances and transaction classes.
Because this standard is very conceptual, the ASB realized practitioners would find application difficult. Therefore, a task force was formed to develop a guide for practitioners. Following are some of the most common questions auditors are asking.
Q How does the guide help me apply SAS no. 55?
A As mentioned above, SAS no. 55 requires the auditor to understand the entity's internal control structure well enough to plan the audit. But what procedures are necessary to obtain that understanding? How should the understanding be documented? These are only some of the questions the guide answers.
The basic premise of the guide is that the procedures performed to understand the internal control structure and to assess control risk differ, depending on the preliminary audit strategy selected for a particular financial statement assertion. The guide describes two preliminary strategies an auditor could choose when auditing an assertion. As can be seen by referring to the flowchart (see the exhibit on page 109), an auditor may plan
* A primarily substantive approach (shown on the left side of the flowchart). An auditor who follows this strategy normally plans to assess control risk at or slightly below maximum. The auditor is not required to perform tests of controls when assessing control risk at maximum. (However, procedures performed to understand the internal control structure may provide some evidence of the design and operating effectiveness of control structure policies or procedures. If so, these procedures serve as tests of controls and may enable the auditor to assess control risk below maximum.)
* A lower control risk assessment (shown on the right side of the flowchart). Under this strategy, the auditor plans tests of controls to obtain evidence about the effectiveness of specific internal control structure policies and procedures. If those tests support the lower control risk assessment, the auditor performs fewer (or less effective) substantive procedures than he or she would perform if following a primarily substantive approach.
In each case, the preliminary audit strategy influences the nature, timing and extent of procedures used to obtain an understanding of the internal control structure, assess control risk and design substantive procedures.
The guide illustrates the effect of the preliminary audit strategy on the auditor's procedures by describing the audits of three hypothetical companies--Ownco, Young Fashions and Vinco.
Ownco is a small, owner-managed business that does not have complex organizational structure or a sophisticated computer system. Young Fashions is a growing, nonpublic company with multiple locations. For both of these companies, the guide assumes the auditors plan to assess control risk for assertions related to a specific account balance and transaction calss based only on procedures needed to plan a primarily substantive approach.
In contrast, Vinco is a pubilc company with a more complex organizational structure and a sophisticated computer system. Vinco's auditor chose to understand and test sufficient internal control sturcture policies and procedures to support a lower control risk assessment for some assertions. By comparing and contrasting the procedures auditors performed in each of the hypothetical companies, the guide demonstrates how to apply SAS no. 55 in a broad range of audits.
Q The flowchart in the guide is different from the one in SAS no. 55. Which flowchart should I use?
A The exhibit on page 109 shows the guide's flowchart, which was dsigned to facilitate an understanding of the guide and encompasses the concept of a preliminary audit strategy. It is similar to the one in SAS no. 55, which was intended to help auditors understand the conceptual framewofk of that standard. Both flowcharts can be useful in applying the provisions of SAS no. 55.
Q Do I have to follow one of the two strategies described in the guide?
A No. The guide presents only two strategies among the many an auditor could choose when auditing an assertion. Auditors are not required to select a preliminary audit strategy but generally a strategy is more efficient since, as described in the guide, it influences the nature, timing and extent of audit work.
Q The guide contains qualitative control risk assessments ranging from low to maximum. Must I use these terms when assessing control risk? Can I assess control risk in quantitative terms?
A For illustration, the guide uses qualitative control risk assessments that range from maximum--the greatest probability that a material misstatement will occur in a financial statement assertion and not be either prevented or quickly detected by the entity's internal control structure policies or procedures--to low. Auditors may assess control risk using these or other qualitative terms or they may use quantitative terms.
Q My client is a small, owner-managed service organization that, because of its size, doesn't have adequate segregation of duties. How can the guide help me with the audit of this small business?
A An inadequate segregation of duties because of limited personnel is a significant concern of many small business auditors. Often, a shortage of personnel in a small business results in an inadequate review function and in employees who are in a position both to perpetrate and conceal fraud in the normal course of business. Thus, an auditor generally finds many of the organization's internal control structure policies and procedures are ineffective in detecting and preventing material misstatements.
The guide discusses ways in which good owner-manager controls may mitigate the auditor's concern. For example, Ownco's owner-manager demonstrates a conservative attitude toward accepting business risks. He uses information generated by the accounting system to compare performance to that of prior years and he reviews accounting reports regularly. He also performs numerous control procedures. For example, he checks the accuracy of disbursements and reviews the periodic physical inventory compilations. These owner-manager procedures encourage employees to work with greater care, thereby reducing the risk of material misstatements. If the auditor obtains evidence that these procedures are effective, he or she may assess control risk below the maximum for specific assertions.
Q SAS no. 55 requires me to document that I obtained sufficient understanding of the internal control structure to plan the audit. If I assess control risk at maximum, it also requires that I document that conclusion. Alternatively, if I assess control risk below maximum, SAS no. 55 requires that I document the basis for my assessment. How does the new audit guide help an auditor to meet these documentation requirements?
A Over 100 pages of the guide are devoted to sample workpapers that illustrate how the auditors of the three hypothetical companies satisfied the documentation requirements of SAS no. 55. For entities with a simple internal control structure like Ownco, a memorandum is frequently used. However, as systems become more complex, narratives may become longer and important information can get buried in the discussion. Thus, flowcharts and questionnaires such as those illustrated for Young Fashions and Vinco could be more effective for documenting more complex internal control structure policies and procedures. Generally, the more complex the entity's internal control structure and the more extensive the procedures performed to obtain the understanding, the more extensive the auditor's documentation will end up being.
This article has described some of the ways the guide can assist practitioners in applying SAS no. 55. To obtain the guide, call (800) 334-6961 or (800) 248-0445 in New York State, or write to the AICPA order department. The guide is produce number 012450 and costs $25.
Barry Barber, national quality assurance partner, Grant Thornton, and Mimi Blanco-Best, technical manager in the American Institute of CPAs auditing standards division, answer questions about a new audit guide.