Transparency In Ministry

In our previous posts we have discussed the new risk standards promulgated by the AICPA affecting audits for years ending after 12/16/07. In post #5 we briefly discussed SAS 108 and 109. Now we will end this series of posts and discuss SAS 110 and 111.

SAS 110 – provides new guidance on matters the auditor should consider in determining the nature, timing, and extent of audit procedures. Basically, SAS 110 redirects the auditors’ consideration of risk at the financial statement level to the financial statement category ‘line level’ so that auditor can make their risk assessment as a result of, and in conjunction with, their performance of risk assessment procedures performed as indicated above. This is the final risk assessment step. The auditor will take into consideration all of the information obtained as a result of these procedures and use that to design and perform tailored audit procedures.

SAS 111 – provides a more clear-cut guidance on the auditors’ assessment of their materiality levels.

In conclusion, this sounds like a lot of additional work, and make no mistake about it, it is. But these standards are designed to urge the auditor to make more informed, documented, and worthwhile decisions that ultimately will provide the client with a more valuable audit product, resulting in a more tailor made corporate audit.

posted by Anthony Miller

The new auditing standards require certain communications to “those charged with governance”. These individuals are responsible for overseeing the strategic direction of the church or ministry. These same individuals have accountability for and to the entity, including the financial reporting process.

Those charged with governance may include a board of directors, a supervisory board, or trustees. Subgroups (such as an audit committee) may be charged with specific tasks to assist a governing body in meeting its responsibilities.

Has the tone been appropriately defined and refined by those charged with governance? See our tone at the top post.

Posted by Anthony Miller

Detection Risk (DR) is the risk the auditor will not detect a misstatement in the financial statements. Detection risk is a function of the effectiveness audit procedures.

Therefore:

RMM (defined previously) X DR = Audit Risk

In our previous posts we have discussed the new risk standards promulgated by the AICPA affecting audits for years ending beginning on or after 12/15/06. In post #4 we briefly discussed SAS 106 and 107. Now we will discuss SAS 108 and 109.

SAS 108 –requires a more detailed audit plan than what was previously accepted. This standard will require more interaction with clients and it may take the auditor longer to generate the plan.

SAS 109 – requires the auditor to perform “risk assessment procedures” to gather information and gain an understanding of the client and their environment. This can be performed in conjunction with documentational questionnaires, client interviews, and “brainstorming” sessions amongst the auditors. This understanding will help the auditor obtain the evidence necessary to support the auditor’s assessment of risk.

Control Risk Definition: Control Risk (CR) is the level of risk that a misstatement will occur and not be detected by the entity's internal controls.

IR (inherent risk - defined in a previous post) x CR (defined above) = Risk of Material Misstatement

Posted by - Anthony Miller

In our previous posts we have discussed several of the new auditing standards that auditors are required to perform for audits with financial statements ending after December 16, 2007. Basically this impacts financial statement audits for years ending December 31, 2007. In this post, we will update you on Statements of Auditing Standard “SAS” # 106 and #107.

SAS 106 – This new standard requires auditors to utilize assertions (i.e. is the account valued correctly? Is this the complete population? Does the client have rights to that asset?), assigned to each account to assess risk and design audit programs. While this step will require additional work in the first year of implementation, it will eventually reduce the amount of testing by eliminating the previously mentioned potential of “over” auditing.

SAS 107 – This step goes hand in hand with SAS #106. Auditors will utilize the audit assertions mentioned above and identify the inherent and control risks for each account within each assertion. The statement provides definitions for the following risks:

Inherent risk - defined as the susceptibility of a material misstatement to a particular account assuming there are no related controls.

Control risk - defined as the susceptibility of a material misstatement to a particular account will go undetected by the controls that are in place.

While this probably sounds like gibberish, in layman’s terms the auditor will assess both of the above-mentioned risks for each account (i.e., cash, inventory, fixed assets, etc…), thus dictating the amount of testing that will be done. So if, for example, the auditors determine that an account has a “low” inherent risk and a “low” control risk, a “low” level or amount of audit testing will be performed. However, if inherent risk and/or control risk is assessed at “moderate” or “high”, then more audit testing will be performed.

Watch for our next post as we discuss the implications described by SAS 108-109.

Posted by Anthony Miller

Auditors normally provide a list of items that they will need during the course of the audit. This list is usually prepared and delivered to the client during the planning phase of the engagement. These items normally include reconciliations and support for selected transaction throughout the year. Management should take time to prepare these work papers and have all applicable requests completed before the audit begins. This maximizes the auditor’s efficiency and management’s time required during the fieldwork.

Another great idea for management to perform is a review of the balance sheet accounts starting at the current assets and moving down through net assets (equity). This review includes a general ledger detail and reconciliation with relevant third party information. This helps identify differences and or errors that have been recorded during the year. Based on the new auditing standards, specifically SAS 112, any error above a significant amount is reported as a significant deficiency by the auditors. To eliminate unnecessary comments in the auditor’s report, management should consider making sure reconciliations and supporting documentation is completed before the audit.

Do you have questions about the audit? E-mail or call me.

Posted by Kirk Vanderslice

As noted in our previous post, the AICPA has issued several new auditing standards that are applicable for audits ending after 12/16/07. We will briefly discuss the 8 new standards:

SAS 104 – More clearly defines the level of assurance auditors are to provide the client and interested 3rd parties regarding whether or not the client’s financial statements are free of material misstatement. This has not direct client impact.

SAS 105 – Expands the scope of the understanding that the auditor must obtain of the client’s internal control. The auditor will likely attempt to identify key revenue and expense ‘streams’ and walkthrough the client’s process of collecting those revenues and expenses from the transactions inception to it being booked in the general ledger. During those walkthroughs (performed with relevant client employees) the auditor will identify controls currently in place that are “key” to the financial statement reporting process. This understanding will provide auditors evidence that ultimately will support the opinion on the financial statements.

Posted by Anthony Miller

Inherent Risk is defined as "what could go wrong, in the absence of internal controls".

Internal Controls are defined as...systems in place that identify errors and irregularities on a timely basis.

Posted by Craig Legener

Churches/Ministries can do a lot of things to prepare for an audit. This preparation can greatly decrease audit time and therefore decrease the related audit fees.

The Ministry can begin by documenting the internal controls related to financial transactions and cycles. They should have clear, detailed procedures for each significant transaction cycle (cash receipts, disbursements, payroll and financial reporting). This could also include contribution collection procedures, fees for services, accounts payable voucher processing, debt procedures, and compliance with donor designations/restrictions. This documentation will assist the auditors in evaluating whether controls/procedures are adequate (based on the size of the Ministry) and whether they have been placed in service for the period under audit.

The Ministry should formally document the understanding and management’s measurement of risks. These risks include

> The Ministry’s strategic business risk,

> Accounting reporting risks, and

> Fraud risks within the Ministry

The Ministry should document the understanding of the above risks and steps taken by management and the board of directors to mitigate the risks identified.

Understanding the Ministry’s controls and risks will help management understand various risks that must be considered by the auditor in auditing the financial statements of the ministry.

See post #2 relating to additional documentation needed for the audit.

Just when you thought you knew exactly what your auditors needed, the American Institute of Certified Public Accountants decided to change the documentation requirements. The AICPA issued 8 new auditing standards that are designed to:

> improve the quality and effectiveness of an audit. In short, the standards force auditors to develop a more in-depth understanding of the client and its environment (including internal controls)

> provide for a more rigorous assessment of the risk of material misstatement of the financial statements and finally

> improve the link between the assessed risks of misstatement with the nature, timing and extent of the audit procedures performed.

So...what in the world does all this mean? See our next post as we begin discussing the new standards.

If your organization is being audited by an external (independent) auditor, you have probably heard them use phrases like “that’s material” or “that’s not material.” This posting attempts to clarify how auditors make that determination as it relates to your business.

The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for financial statements to be fairly presented in conformity with generally accepted accounting principles. In performing the audit, the auditor is concerned with matters that, either individually or in the aggregate, could be material to the financial statements. The auditor’s responsibility is to plan and perform the audit to obtain reasonable assurance that material misstatements, whether caused by errors or fraud, are detected.

The auditor's consideration of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the needs of users (which could be different from client to client) of financial statements. Materiality has been defined as "the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement." That discussion recognizes that materiality judgments are made in light of surrounding circumstances and necessarily involve both quantitative and qualitative considerations.

The evaluation of whether a misstatement could influence economic decisions of users, and therefore be material, involves consideration of the characteristics of those users. Users are assumed to:

a. Have an appropriate knowledge of business and economic activities and accounting and a willingness to study the information in the financial statements with an appropriate diligence;
b. Understand that financial statements are prepared and audited to levels of materiality;
c. Recognize the uncertainties inherent in the measurement of amounts based on the use of estimates, judgment, and the consideration of future events; and
d. Make appropriate economic decisions on the basis of the information in the financial statements.

The determination of materiality, therefore, takes into account how users with such characteristics could reasonably be expected to be influenced in making economic decisions.

More questions? Contact us.

Setting the tone at the top is a key requirement of board governance. Management must establish standards of conduct and follow them. These standards contain the values, philosophy and mission or the organization.

How does this impact the Organization's audit?

Recent changes to the audit standards require the auditor to evaluate the “control environment”. This term is one of the five elements of internal control as defined by the Committee of Sponsoring Organizations (COSO) in the early 1990’s. The Sarbanes Oxley Act of 2002 also encompasses this concept in federal legislation directed at public companies. Those charged with governance (boards) and management (senior pastors) should ask themselves how have they conveyed their attitudes regarding fraud and ethical values to others within their church or ministry. This is a question your auditors will be asking you.

In prior postings, we discussed the reasons an external independent auditor would request their client to sign a management representation letter as well as who should sign the letter. In this post, we will discuss the typical content of the letter.

The letter itself, including the written representations, should be addressed to the auditor. Because the auditor is concerned with events occurring through the date of his or her report, the representations should be made as of the date of the auditor’s report.

The specific written representations obtained by the auditor will depend on the circumstances of the engagement and the nature and basis of presentation of the financial statements. At a minimum, the following topics are normally addressed in the letter:

A. Financial Statements - management's responsibility for fair presentation and beliefs re: conformity with GAAP.

B. All requested information is complete.

C. Management's responsibility to prevent and detect fraud.

D. Subsequent events.

E. Related party transactions and guarantees

F, Significant estimates and material concentrations known to management

G. Certain Significant Risks and Uncertainties - including violation of laws/regulations; unasserted claims or assessments and litigation.

H. Compliance with contractual agreements

One other concept is that management's representations may be limited to matters that are considered either individually or collectively “material” to the financial statements, provided management and the auditor have reached an understanding on materiality for this purpose. Typically, material items are items such that would cause a reasonable person to have a different assessment of the entity’s financial position if they proved to be different than what is stated in the financial statements.

Please feel free to contact us if you have other questions.

In a financial statement audit performed in accordance with generally accepted auditing standards, the auditors are required to obtain a written letter from management that includes certain representations. In a July post, we discussed the reasons an external independent auditor would request their client to sign a management representation letter. In this posting, we discuss who should sign the letter.

The letter should be signed by those members of management with overall responsibility for financial and operating matters whom the auditor believes are responsible for and knowledgeable about, directly or through others in the organization, the matters covered by the representations in the letter. Such members of management normally include the chief executive officer and chief financial officer or others with equivalent positions in the entity.

If current management was not present during all periods covered by the auditor's report, the auditor should nevertheless obtain written representations from current management on all such periods.

In certain circumstances, the auditor may want to obtain written representations from other individuals. For example, he or she may want to obtain written representations about the completeness of the minutes of the meetings of stockholders, directors, and committees of directors from the person responsible for keeping such minutes. Also, if the independent auditor performs an audit of the financial statements of a subsidiary but does not audit those of the parent company, he or she may want to obtain representations from management of the parent company concerning matters that may affect the subsidiary, such as related-party transactions or the parent company's intention to provide continuing financial support to the subsidiary.

Please feel free to contact us if you have other questions.

Why is my external auditor asking me to sign a Management Representation Letter?

If you are a member of senior management and your financial statements are being audited, your external (independent) auditor will ask you to sign a management representation letter or “rep” letter before they release the audited reports to you.

So what is this “rep” letter? In format, it is a letter from management to the auditors but is typically written by the auditors.

Why is this necessary? In short, it is because it is required under Section 333 of U.S. Auditing Standards for audits of financial statements performed in accordance with generally accepted auditing standards.

During an audit, management makes many representations to the auditor, both oral and written, in response to specific inquiries from the auditors. As such, written representations from management should be obtained for all financial statements and periods covered by the auditor's report. Such representations from management are part of the audit evidence the independent auditor obtains, but they are not a substitute for the application of auditing procedures necessary to afford a reasonable basis for an opinion regarding the financial statements under audit.

In many cases, the auditor applies auditing procedures specifically designed to obtain audit evidence concerning matters that also are the subject of written representations. For example, after the auditor performs procedures to identify related party transactions, the auditor may require written representation that all the related party transactions have been identified and disclosed.

In future postings, we will discuss who should sign the letter and the typical content of the letter.

Please feel free to contact us if you have other questions.

Under Statement on Auditing Standard #112, the auditors are required to communite certain information to those charged with governance. Who are these individuals? What are the auditors required to communicate? These and other issues will be explored as we determine who is responsible for financial information and who are responsible for guiding the mission of the church or ministry.

Those charged with governance are members of the board of directors, board of trustees, elders, etc. They are the individuals that oversee the senior pastor and help define, evaluate and refine the mission of the organization.

Responsibilities - the chain of command... Management of the church or ministry is responsible for the financial statements. Executive members of management report to the senior or executive pastor or director. The executive director reports to the board, or those charged with governance.

After the audit has been completed, the auditors are required to communicate certain information to those charged with governance. What items are included in the required communication? See my next post describing the information that must be communicated.

There are several procedures that help auditors find and evaluate subsequent events. These include:

1. Reading and comparing the most recent financial statements to the statements under audit. Obtain client explanations for significant fluctuations.

2. Discussing with executive management:
a. how contingent liabilities were estimated at year-end and if they have been paid subsequent to year-end.
b. if any significant events have occurred after year-end.
c. if any unusual adjustments were made after year-end.
d. if there were any significant changes in long-term debt or significant purchases after year-end.

3. Reading the minutes from board meetings held after year-end.

4. Reading any meeting agendas and summaries of actions for minutes that have not been approved.

5. Reviewing confirmations from legal counsel concerning litigation, claims and assessments.

6. Obtaining a written representation letter from management clarifying any unusual issues or transactions.

7. And when all else fails…perform any other procedures that the auditor considers necessary and appropriate to dispose of any unanswered questions.

So when the auditor asks the CFO for interim financial statements, this is one of the procedures for identifying a subsequent event that could impact the financial statements under audit.

Now you know!

For more information, see events.

Concerned about an event or how to evaluate items for potential disclosures? Post a comment.

Many financial statements disclose subsequent events for a church or ministry. What is a subsequent event and why are they important?

A material event that occurs after the balance-sheet date (say December 31, 2006) but prior to the auditor issuing the financial statements (say March 15, 2007) is a subsequent event. This event may require an adjustment to the financial statements or may require disclosure.

How do you determine if you adjust or disclose?

The first type of a subsequent event provides additional audit evidence that a transaction existed at the date of the balance sheet and usually affect estimates. For example:

A church has registered its pastors for a conference event and owes $10,000 in fees to another church. Subsequent to year-end, the registering church is hit by a tornado and is unable to pay the outstanding fees.

This subsequent event results in the fees being uncollectible and therefore management determines the receivable should be written off. This event required the financial statements to be adjusted subsequent to year-end.

The second type of subsequent event provides evidence of conditions that did not exist at the date of the balance sheet, but arose subsequent to year-end and should be reported or disclosed in order to keep the financial statements from being misleading. For example:

In February, a church kicks off a new capital campaign to raise $10 million for a new facility.

Management may consider this event a material transaction and would disclose the event in order to update the reader on significant transactions that could affect the comparability of future financial statements.

How does an auditor find a subsequent event? See the subsequent post…

In December 2005, the AICPA (American Institute of Certified Public Accountants) issued SAS (Statement on Auditing Standards) #103, Audit Documentation. This statement addresses certain audit practices incorporated during fieldwork. One of the significant changes provided by this new standard is the dating of the audit opinion. Prior to years ending before December 31, 2006, the last day of audit fieldwork was the date the auditors used for the opinion. SAS #103 changes the date of the auditor’s report.

In accordance with U.S. Auditing section 339, paragraph 23 the auditor’s report should not be dated earlier than the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. Among other things, sufficient appropriate audit evidence includes evidence that the audit documentation has been reviewed and that the entity’s financial statements, including disclosures, have been prepared and that management has asserted that it has taken responsibility for them.

For examples of sufficient appropriate audit evidence, read on

So instead of having the audit report dated on the last day the auditors are in “the field”, the auditors will date the opinion when:

1. the last piece of significant evidential matter is obtained and

2. management has accepted responsibility for the financials including the disclosures.

This date will typically be closer to the auditor’s release of the statements.

This standard is effective for audits of financial statements for periods ending on or after December 15, 2006 and earlier application is permitted.

There are several new auditing standards that will be implemented during the 2006 and 2007 audits of non-profit organizations. The impact to churches and ministries is the auditor will/should be spending additional time understanding "the business" and assessing the "risk" of a material misstatement to the financial statements. Management must assess external factors affecting the operations of the Church.

In post #4, we discuss changes/differences resulting from SAS 106, Audit Evidence (Supercedes SAS 31 of the same name).

The new standard defines audit evidence as "all the information used by the auditor in arriving at the conclusions on which the audit opinion is based." Previously, this was not defined. How this is obtained is defined more clearly in the standard but emphasis is now placed on inquiry as audit evidence and how that alone is not sufficient to evaluate the design of internal control.

The new standard also describes new assertions that management makes as they apply to their financial statements. Previously, auditors considered five assertions management made. These were that management asserts that financial statement items existed, were owned, were complete, were properly valued and properly presented.

The new standard now expands these five assertions to thirteen, broken into three broad categories of the following:

Classes of Transactions and Events
1. The transactions "occurred"
2. The transactions are "complete" and have been recorded
3. The transactions are "accurate"
4. The trasactions were properly "cut off" and occured in the correct accounting period
5. The transactions are properly "classified" in the proper accounts

Account Balance Assertions
6. The assets, liabilities and equity interests "exist"
7. The entity owns the "rights and obligations" of the assets/liabilities of the entity
8. The financial statements are "complete" as to recording of assets, liabilities and equity interests.
9. The assets, liabilities and equity interests are properly "valued"

Presentation and Disclosure Assertions
10. Disclosed events and transactions have "occurred"
11. All disclosures are "complete" and have been included in the financial statements
12. Financial information is appropriately described and is "understandable"
13. Financial information is appropriately "valued"

For auditors, this, in many cases, will require designing new audit procedures to address these new assertions. Assertions 1-5 will mainly affect tests of internal controls. Assertions 6-9 will affect testing of balance sheet accounts. Assertions 10-13 will affect financial statements and footnotes with new emphasis on "understandability" by the presumed reader.

For clients, this will impact their responsibility for their own financial statements. Clients can no longer rely on the auditors to draft their financial statements and footnotes as before. They will have to become more proactive in ensuring proper internal controls are in place to allow the auditors to effectively address these assertions in all facets of the audit and obtain proper evidence of the same.

In future postings, we will be discussing ways both parties can do this.

This posting is a continuation of previous discussions on the new Risk Assessment Standards. In this posting, we discuss changes/differences resulting from SAS 105 Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards.

This standard expands the understanding that an auditor must have of their audit client from having an understanding of "internal control" to "the entity and its environment, including its internal control. In the past, the purpose of this was to allow the auditor to "plan the audit." However, the purpose of this understanding has been modified to "assess the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing and extent of further audit procedures.

For the auditor, this means they will need to expand their overall knowledge of the client to include both internal and outside influences that could affect client internal controls. For the client, management will have to start thinking beyond the normal day-to-day internal controls and consider how high-level or outside influences could affect their internal operational controls and address/mitigate those concerns with their auditors prior to or near the beginning of their audits.

In post #4, we will be discussing SAS 106 dealing with Audit Evidence.

In a Brave New World of Risk Assessment post #1, we introduced the new risk assessment standards published in March 2006 for CPAs. We will summarize the high-level differences between the old and new standards and their effect on auditors and their clients.

SAS 104 Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures ("Due Professional Care in the Performance of Work").
The previous standard made reference to "reasonable assurance" when discussing how the auditor must exercise due professional care to plan and perform their audit of the financial statements so that it was free of material misstatement due to error or fraud. The new standard now defines "reasonable assurance" as "high, but not absolute, level of assurance."

For auditors, this is meant to imply that the auditor now must have a better understanding of their clients and their operations for the year/period under audit. As for clients, this will mean that your auditors will be spending more time gaining this understanding with you--mainly in the beginning phase of the audit.

See post #3, explaining implementation of "understanding the client's business".

In March 2006, the Auditing Standards Board (ASB), the senior technical body of the AICPA, released its long-anticipated Risk Assessment standards (SAS 104-111) relating to assessment of risk in an audit of financial statements. These standards amended or replaced several existing standards in an effort to enhance overall quality of audits by focusing the auditor's attention on areas such as:

1. A more in-depth understanding of the entity and its control environment
2. A more rigorous assessment of the risks of material misstatement of the financial statements based on that understanding
3. An improved linkage between the assessed risk and nature, timing, and extent of audit procedures performed in response to those risks.

Another reason for these standards at this time is that the ASB has been working with the International Federation of Accountants to bring forth the convergence and acceptance of an international set of auditing standards.

The effective date for these standards will be for audit periods ending after December 15, 2007.

So what affect do these new audit standards have on non-profit ministry organizations? During the 2006 and 2007 audits, your auditors will/should be spending more time understanding the Church's operations and "linking" risk with internal controls. It is anticipated that these new standards will result in more audit documentation during the "planning" and control testing phase, thus affecting the audit fee.

More good news for 2007! See post #2 on understanding "the client".

In future postings, we will be noting important changes/differences between existing standards and the new standards and their effect on auditors and their clients.