Auditors’ Responsibilities Formalized Under SAS 109
Understanding Risks Associated with the Legal and Regulatory Environment

By Lisa N. Bostick and Michael S. Luehlfing

E-mail Story
Print Story
FEBRUARY 2007 - Statement on Auditing Standard (SAS) 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, formalizes the linkage between the risk of material misstatement in an entity’s financial statements and the overall operating environment of an entity. SAS 109 requires the auditor to obtain an understanding of the risks associated with the entity’s regulatory, legal, and political environment, including environmental requirements. When significant risks exist, the auditor is required to evaluate the design of the entity’s related internal controls and determine whether the controls have been implemented and are effectively operating. Fortunately, in addition to the guidance found in SAS 109, the guidance provided in SAS 99, Consideration of Fraud in a Financial Statement Audit, can also facilitate the auditor’s understanding of the risks associated with the entity’s legal and regulatory environment.

Understanding the Entity and Its Environment

SAS 109 is grounded in the adage “you can’t audit what you don’t understand.” In this regard, the SAS specifies that auditors should:

  • perform certain risk assessment procedures (Exhibit 1) to obtain an understanding of the entity and its environment (Exhibit 2), including its internal control (Exhibit 3); and
  • assess, with audit team members, the susceptibility of the entity’s financial statements to material misstatement.


SAS 109 indicates that the auditor’s understanding of the entity and its environment extends beyond a basic understanding of the accounting and financial aspects of the entity. For example, the auditor must identify the risk factors associated with the entity’s operations, industry conditions, regulatory environment, and so on (Exhibit 2) that might result in material misstatement of the financial statements. Identifying risk factors provides the auditor with information about the entity’s susceptibility of material misstatement resulting from issues such as:

  • revenue recognition;
  • disclosure requirements;
  • valuation and allocation;
  • related-party transactions;
  • liabilities, including contingent liabilities; and
  • going-concern status.

In addition to obtaining an understanding of the entity and its environment, the auditor must also obtain an understanding of the entity’s internal controls. In this regard, SAS 109 provides guidance in terms of the Committee of Sponsoring Organizations’ (COSO’s) internal control framework to assess the risk of material misstatement. The framework has five components: control environment; risk assessment; information and communication systems; control activities; and monitoring. Additionally, the framework describes internal control as a process designed to provide reasonable assurance about achieving objectives related to the reliability of financial reporting, the effectiveness and efficiency of operations, and compliance with laws and regulations.

Significantly, SAS 109 provides requirements and guidance on the auditor’s responsibilities with respect to each of these three objectives. With respect to the reliability of financial reporting, SAS 109 provides that generally the auditor is concerned with the internal controls over the reliability of financial reporting, including the management of risks that may result in material misstatement of the financial statements. With respect to the effectiveness and efficiency of operations, SAS 109 recognizes that related controls are relevant to an audit if the controls relate to information or data used in applying audit procedures (e.g., controls pertaining to nonfinancial data that the auditor may use in analytical procedures, such as production statistics). Similarly, with respect to compliance with laws and regulations, SAS 109 indicates that controls pertaining to detecting noncompliance with laws and regulations that have a “direct and material effect” on the financial statements—such as controls over compliance with income tax laws and regulations used in determining the income tax provision—may be relevant to the audit.

Significantly, while SAS 109 does not specifically address controls over compliance with laws and regulations that have an “indirect and material effect” on the financial statements, SAS 109 does require procedures that would more likely than not detect inadequate controls over compliance with such laws and regulations. For example, SAS 109 indicates that the auditor should inquire about:

  • compliance with laws and regulations from in-house counsel to identify contingent liabilities;
  • marketing and production strategies, new-product development, contractual agreements from marketing and production personnel to confirm adequate disclosures and identify contingent liabilities and going-concern issues;
  • the regulatory, legal, and political environment and environmental requirements to identify contingent liabilities and revenue-recognition and going-concern issues; and,
  • the objectives and strategies and related business risks to identify valuation, contingent liabilities, and going-concern issues.

Fortunately, in addition to the guidance in SAS 109, the guidance in SAS 99 facilitates the auditor’s ability to identify and assess possible risks of material misstatement with respect to the entity’s noncompliance with laws and regulations, whether direct or indirect.

SAS 54, Illegal Acts by Clients

In 1988, the AICPA issued SAS 54, Illegal Acts by Clients, which provides guidance on the auditor’s responsibility for detecting illegal acts in the audits of financial statements. SAS 54 classifies illegal acts as either those with a direct effect on the financial statements or those with an indirect effect. Those with a direct effect generally relate to the financial and accounting aspects of an entity. Those with an indirect effect generally relate to the operational aspects of an entity. The auditor’s responsibilities for considering direct illegal acts are the same as for considering errors and thus are delineated in SAS 99, whereas the auditor’s responsibilities for considering indirect illegal acts are delineated in SAS 54.

The auditor’s responsibilities for considering indirect illegal acts under SAS 54 are limited. SAS 54 stipulates that auditors should be aware of the possibility that such illegal acts may have occurred, they should make certain inquires regarding compliance with laws and regulations, and they should obtain management representations concerning violations of laws and regulations that should be disclosed in the financial statements. SAS 54 specifies that an auditor provides no assurance that indirect illegal acts will be detected.

Laws and Regulations

Both SAS 99 (Exhibit 4) and SAS 109 (Exhibit 1) require an auditor to obtain knowledge about an entity’s business and the industry in which it operates. Auditors should: 1) make inquiries of management and others within the entity, such as employees with varying levels of authority, operating personnel not directly involved in the financial reporting process, employees involved in initiating, recording, or processing complex or unusual transactions, and in-house legal counsel; 2) consider any unusual or unexpected relationships while performing analytical procedures; 3) consider whether one or more fraud risk factors exist; and 4) consider other information that may be helpful.

SAS 99 (Exhibit 4) and SAS 109 (Exhibit 1) provide specific inquiries that an auditor should make to identify risk of material misstatement. Such inquiries should enhance an auditor’s ability to identify and assess possible risks of material misstatement with respect to the entity’s noncompliance with laws and regulations, whether direct or indirect. For example, auditors should ask management and others within the entity (e.g., production, marketing, sales, in-house legal counsel, and those charged with governance) if they have knowledge of any violations of laws and regulations. Specifically, the human resources manager should be familiar with the Civil Rights Act, the American Disabilities Act, and regulations regarding sexual harassment; the production manager should be familiar with the laws and regulations of OSHA and the EPA.

To corroborate these inquiries and to obtain information about other potential violations of laws and regulations, an auditor must be cognizant of potential illegal acts while observing the activities and operations of the entity; reviewing or inspecting documents, records, and control manuals; and visiting the entity’s premises and plant facilities.

Finally, SAS 99 requires an auditor to evaluate whether an entity’s programs and controls to address risk situations have been suitably designed and placed into operation. Understanding such programs and controls (Exhibit 5) can enhance an auditor’s ability to identify and assess possible risks of material misstatement with respect to an entity’s noncompliance with laws and regulations, whether direct or indirect. For example, programs designed to create a culture of honesty and high ethics should also deter violations of laws and regulations.


Lisa N. Bostick, DBA, CPA, CFE, is the program director of the master of science in accounting and an assistant professor at The University of Tampa, Tampa, Fla. Michael S. Luehlfing, PhD, CPA, CMA, is the Max P. Watson Professor of Accounting in the school of professional accountancy at Louisiana Tech University, Ruston, La.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices