Audit S implified

1. AuditSimplified Stephen J.M. Schiltz, CPA Principal stephen.schiltz@CLAconnect.com

2. Today’s Presenter Stephen J.M. Schiltz, CPA Principal Tucson, Arizona Office CliftonLarsonAllen LLP 520-352-1259 stephen.schiltz@CLAconnect.com Stephen Schiltz is a principal at CliftonLarsonAllen’s (CLA) Tucson office. He began his career with CLA in 2002 and has extensive experience providing assurance and consulting services to the financial institution industry. Steve has made presentations to management teams, audit/supervisory committees, and boards of directors, as well as national speaking engagements and webinars. A licensed CPA in Arizona and Texas, Steve is a member of the AICPA, Arizona Society of CPA’s and the Beta Gamma Sigma Honor Society. He received his bachelor’s in accounting, cum laude, from the University of Arizona in Tucson.

3. About CLA…

4. CLA Highlights 18+ industries Hundreds of services

5. Agenda • Substantive Procedures • Concluding the Audit • Communications with Governance • Best Practices in Dealing with Auditors • The Independent Auditors’ Objective • Initial Audit Procedures • Pre-Engagement • Risk Assessment • Evaluating Internal Control, Including IT

6. The Independent Auditors’ Objective • The independent auditors’ objective is to provide an opinion on the financial statements: • Unmodified Opinion • Reasonable assurance that the financial statements are presented fairly, in all material respects, in accordance with generally accepted accounting principles (GAAP) • Qualified Opinion- exception(s) to the above • Adverse Opinion- NOT fairly presented • Disclaimer of Opinion- NO opinion provided

7. Initial Audit Procedures • Communicate with predecessor auditor (if applicable) • Integrity and competence of management • Any disagreements with management • Any communications regarding fraud, noncompliance, or internal control related matters • Reasons for change in auditors

8. Initial Audit Procedures • Review prior year financial statements and tax returns • Read significant legal documents • Review prior year audit reports • Review predecessor auditor workpapers to rely on beginning balances (obtain permission from client)

9. Pre-Engagement • Engagement acceptance and continuance process • Evaluation of independence • Nonattest services provided • Affiliates • Other threats to independence • Engagement letter and management acknowledgement

10. Pre-Engagement • Request list • Requested documents • Timing of audit procedures • Internal control documentation • Confirmation templates • Planning meetings (management & governance) • Time budget • Tailor audit programs based on account balances & risk

11. Risk Assessment • Understand the entity and its environment • Determine planning materiality based on selected benchmarks (total revenue, assets, equity, etc.) • Overall audit strategy and team meeting • Understand fraud risks: • Fraud inquiries • Unpredictability testing

12. How is Fraud Detected? • Tip (39.6%) • Internal Audit (23.8%) • By Accident (21.3%) • Internal Controls (18.4%) • External Audit (10.9%) • Notified by Police (0.9%)

13. How is Fraud Detected? • According to the Association of Certified Fraud Examiners’ 2016 Report to the Nations, organizations that had fraud hotlines were much more likely to detect fraud through tips than those without: • With fraud hotline (47.3%) • No fraud hotline (28.2%)

14. Fraud Inquiries – Who? • Management (CEO and CFO) • Governance (Chair) • Internal audit • Others

15. Fraud Inquiries – What? • Internal controls? • Monitoring? • Communications with governance? • Compliance with laws and regulations? • Knowledge of any fraud? • Fraud reporting (hotline)? • Tone at the top? • Fraud risks?

16. Risk Assessment • Preliminary analytical procedures • Identify significant changes in account balances • Corroboration of topics discussed during planning meetings • Data analytics • Risk assessment analysis by account area • Inherent risk * control risk = risk of material misstatement • Document how risks will be addressed through control and substantive testing

17. Evaluating Internal Control • Entity-level controls, including tone at the top • Understanding transaction processing and internal controls • Consideration of IT, including the use of a specialist • Tests of control design and effectiveness • Using the work of internal audit

18. Consideration of IT • Obtain an understanding of the IT systems used and the related control environment • Are systems administered internally, or outsourced? • If administered internally, consider testing system inputs/outputs. • If outsourced, consider obtaining and relying on the Service Organization Controls (SOC) Report.

19. Consideration of an IT Specialist • Is internet based technology used? • Are electronic workflows used? • Are interfaces used? • Was there a major upgrade? • Has there been turnover in IT staff? • Is the data highly sensitive? • Are the systems complex?

20. Internal Control Testing Test of Design Test of Effectiveness Evaluation of the operating effectiveness of relevant controls Verifying that a reconciliation has been accurately prepared and reviewed • Evaluation of the design of key controls and whether they have been implemented • Verifying that a reconciliation has been signed and dated by a preparer and a reviewer

21. Using the Work of Internal Audit • Evaluate the independence, competence and objectivity of the internal audit function • Evaluate the internal audit plan • Communicate with governance • Coordinate internal audit activities: • Obtaining audit evidence through inspection and evaluation of the work performed (during internal audits) • Providing direct assistance during audit fieldwork

22. Internal Audit Competence • Educational level and professional experience • Professional certification and continuing education • Audit policies, programs, and procedures • Practices regarding assignment of internal auditors • Supervision and review of internal auditors’ activities • Quality of working-paper documentation, reports and recommendations • Evaluation of internal auditors’ performance

23. Substantive Procedures • Review board of directors and audit/supervisory committee meeting minutes • Review of regulatory examination reports • Obtain reconciliations, rollforwards, and subsidiary ledgers for significant account balances and agree to the general ledger • Use of data analytics – journal entry testing

24. Why Use Data Analytics? • Improved efficiency – automated • Repeatable tests – can run on data at anytime • Wider coverage – full coverage of testing population rather than “spot checks” on transactions • Early warning system – identify fraud before it becomes material http://www.ey.com/Publication/vwLUAssets/EY_-_Forensic_Data_Analytics/$FILE/EY-Data-Analytics-The-role-of-data-analytics-in-fraud-prevention.pdf

25. Benford’s Law • Helps to identify irregularities in numbers • Numbers starting with lower digits (1) occur more often than numbers starting with higher digits (9)

26. Substantive Procedures • Trace significant transactions to subsequent clearing and verify proper cut-off • Confirm significant account balances • Evaluate the reasonableness of significant estimates • Perform analytical procedures for income and expense accounts • Obtain and validate required footnote disclosures

27. Concluding the Audit • Draft the audit reports, including: • Financial statements • Internal control communication (management letter) • Written communication to governance • Any other required reports • Exit meeting

28. Exit Meeting • Meet with management at the conclusion of audit fieldwork to discuss: • Status of the audit • Findings and recommendations • Pending items • Industry issues • Recent audit, accounting and regulatory changes

29. Communications with Governance • Changes to accounting policies • Significant accounting estimates • Difficulties encountered in performing the audit • Uncorrected misstatements • Corrected misstatements • Disagreements with management • Management representations

30. Communications with Governance • Management consultations with other auditors • Significant findings or issues discussed with management • Fraud or suspected fraud (if applicable) • The entity’s ability to continue as a going concern (if applicable) • Supplemental information accompanying the financial statements (if applicable)

31. Best Practices in Dealing with Auditors • Always be prepared • Provide requested audit documentation by the deadline • Be available and accessible • Make sure that key personnel are present during audit fieldwork • Answer questions and provide additional documentation in a timely manner • Be accountable

32. Accountability Doing what you said you were going to do… to the best of your ability, on time, without needing to be reminded!

33. Communication is Key • Audit expectations • Clarification of requested items • Discuss prioritization • Establish reasonable deadlines • Keep your auditors informed of complex, significant, and/or unusual transactions throughout the year

34. Best Practices in Dealing with Auditors • Follow-up after audit fieldwork to ensure that all pending items are provided in a timely manner. • Review report drafts timely and provide any suggested changes to give auditors sufficient time to issue the audit reports by internal and external deadlines. • Respond in writing to all findings and recommendations made by the auditors and follow through on implementation.

35. Questions?

36. Thank You! Stephen J.M. Schiltz, CPA Principal stephen.schiltz@CLAconnect.com