| Auditors’
Responsibilities Formalized Under SAS 109
Understanding Risks Associated with
the Legal and Regulatory Environment
By
Lisa N. Bostick and Michael S. Luehlfing
FEBRUARY
2007 - Statement on Auditing Standard (SAS) 109, Understanding
the Entity and Its Environment and Assessing the Risks of
Material Misstatement, formalizes the linkage between
the risk of material misstatement in an entity’s financial
statements and the overall operating environment of an entity.
SAS 109 requires the auditor to obtain an understanding of
the risks associated with the entity’s regulatory, legal,
and political environment, including environmental requirements.
When significant risks exist, the auditor is required to evaluate
the design of the entity’s related internal controls
and determine whether the controls have been implemented and
are effectively operating. Fortunately, in addition to the
guidance found in SAS 109, the guidance provided in SAS 99,
Consideration of Fraud in a Financial Statement Audit,
can also facilitate the auditor’s understanding of the
risks associated with the entity’s legal and regulatory
environment.
Understanding
the Entity and Its Environment
SAS
109 is grounded in the adage “you can’t audit
what you don’t understand.” In this regard,
the SAS specifies that auditors should:
perform
certain risk assessment procedures (Exhibit
1) to obtain an understanding of the entity and
its environment (Exhibit
2), including its internal control (Exhibit
3); and
- assess, with audit team members, the
susceptibility of the entity’s financial statements
to material misstatement.
SAS 109 indicates that the auditor’s understanding
of the entity and its environment extends beyond a basic
understanding of the accounting and financial aspects of
the entity. For example, the auditor must identify the risk
factors associated with the entity’s operations, industry
conditions, regulatory environment, and so on (Exhibit
2) that might result in material misstatement of the
financial statements. Identifying risk factors provides
the auditor with information about the entity’s susceptibility
of material misstatement resulting from issues such as:
-
revenue recognition;
-
disclosure requirements;
-
valuation and allocation;
-
related-party transactions;
-
liabilities, including contingent liabilities; and
-
going-concern status.
In
addition to obtaining an understanding of the entity and
its environment, the auditor must also obtain an understanding
of the entity’s internal controls. In this regard,
SAS 109 provides guidance in terms of the Committee of Sponsoring
Organizations’ (COSO’s) internal control framework
to assess the risk of material misstatement. The framework
has five components: control environment; risk assessment;
information and communication systems; control activities;
and monitoring. Additionally, the framework describes internal
control as a process designed to provide reasonable assurance
about achieving objectives related to the reliability of
financial reporting, the effectiveness and efficiency of
operations, and compliance with laws and regulations.
Significantly,
SAS 109 provides requirements and guidance on the auditor’s
responsibilities with respect to each of these three objectives.
With respect to the reliability of financial reporting,
SAS 109 provides that generally the auditor is concerned
with the internal controls over the reliability of financial
reporting, including the management of risks that may result
in material misstatement of the financial statements. With
respect to the effectiveness and efficiency of operations,
SAS 109 recognizes that related controls are relevant to
an audit if the controls relate to information or data used
in applying audit procedures (e.g., controls pertaining
to nonfinancial data that the auditor may use in analytical
procedures, such as production statistics). Similarly, with
respect to compliance with laws and regulations, SAS 109
indicates that controls pertaining to detecting noncompliance
with laws and regulations that have a “direct and
material effect” on the financial statements—such
as controls over compliance with income tax laws and regulations
used in determining the income tax provision—may be
relevant to the audit.
Significantly,
while SAS 109 does not specifically address controls over
compliance with laws and regulations that have an “indirect
and material effect” on the financial statements,
SAS 109 does require procedures that would more likely than
not detect inadequate controls over compliance with such
laws and regulations. For example, SAS 109 indicates that
the auditor should inquire about:
compliance
with laws and regulations from in-house counsel to identify
contingent liabilities;
- marketing and production strategies,
new-product development, contractual agreements from marketing
and production personnel to confirm adequate disclosures
and identify contingent liabilities and going-concern
issues;
- the regulatory, legal, and political
environment and environmental requirements to identify
contingent liabilities and revenue-recognition and going-concern
issues; and,
- the objectives and strategies and related
business risks to identify valuation, contingent liabilities,
and going-concern issues.
Fortunately,
in addition to the guidance in SAS 109, the guidance in
SAS 99 facilitates the auditor’s ability to identify
and assess possible risks of material misstatement with
respect to the entity’s noncompliance with laws and
regulations, whether direct or indirect.
SAS
54, Illegal Acts by Clients
In
1988, the AICPA issued SAS 54, Illegal Acts by Clients,
which provides guidance on the auditor’s responsibility
for detecting illegal acts in the audits of financial statements.
SAS 54 classifies illegal acts as either those with a direct
effect on the financial statements or those with an indirect
effect. Those with a direct effect generally relate to the
financial and accounting aspects of an entity. Those with
an indirect effect generally relate to the operational aspects
of an entity. The auditor’s responsibilities for considering
direct illegal acts are the same as for considering errors
and thus are delineated in SAS 99, whereas the auditor’s
responsibilities for considering indirect illegal acts are
delineated in SAS 54.
The
auditor’s responsibilities for considering indirect
illegal acts under SAS 54 are limited. SAS 54 stipulates
that auditors should be aware of the possibility that such
illegal acts may have occurred, they should make certain
inquires regarding compliance with laws and regulations,
and they should obtain management representations concerning
violations of laws and regulations that should be disclosed
in the financial statements. SAS 54 specifies that an auditor
provides no assurance that indirect illegal acts will be
detected.
Laws
and Regulations
Both
SAS 99 (Exhibit
4) and SAS 109 (Exhibit
1) require an auditor to obtain knowledge about
an entity’s business and the industry in which it
operates. Auditors should: 1) make inquiries of management
and others within the entity, such as employees with varying
levels of authority, operating personnel not directly involved
in the financial reporting process, employees involved in
initiating, recording, or processing complex or unusual
transactions, and in-house legal counsel; 2) consider any
unusual or unexpected relationships while performing analytical
procedures; 3) consider whether one or more fraud risk factors
exist; and 4) consider other information that may be helpful.
SAS
99 (Exhibit
4) and SAS 109 (Exhibit
1) provide specific inquiries that an auditor should
make to identify risk of material misstatement. Such inquiries
should enhance an auditor’s ability to identify and
assess possible risks of material misstatement with respect
to the entity’s noncompliance with laws and regulations,
whether direct or indirect. For example, auditors should
ask management and others within the entity (e.g., production,
marketing, sales, in-house legal counsel, and those charged
with governance) if they have knowledge of any violations
of laws and regulations. Specifically, the human resources
manager should be familiar with the Civil Rights Act, the
American Disabilities Act, and regulations regarding sexual
harassment; the production manager should be familiar with
the laws and regulations of OSHA and the EPA.
To
corroborate these inquiries and to obtain information about
other potential violations of laws and regulations, an auditor
must be cognizant of potential illegal acts while observing
the activities and operations of the entity; reviewing or
inspecting documents, records, and control manuals; and
visiting the entity’s premises and plant facilities.
Finally,
SAS 99 requires an auditor to evaluate whether an entity’s
programs and controls to address risk situations have been
suitably designed and placed into operation. Understanding
such programs and controls (Exhibit
5) can enhance an auditor’s ability to identify
and assess possible risks of material misstatement with
respect to an entity’s noncompliance with laws and
regulations, whether direct or indirect. For example, programs
designed to create a culture of honesty and high ethics
should also deter violations of laws and regulations.
Lisa
N. Bostick, DBA, CPA, CFE, is the program director
of the master of science in accounting and an assistant professor
at The University of Tampa, Tampa, Fla. Michael S.
Luehlfing, PhD, CPA, CMA, is the Max P. Watson Professor
of Accounting in the school of professional accountancy at
Louisiana Tech University, Ruston, La. |